Monitoring SSL Certificates

Download this manual as a PDF file

This section describes how to monitor SSL certificates in SL1.

Secure Sockets Layer (SSL) is a cryptographic protocol that provide security and data integrity for communications over TCP/IP networks such as the Internet. SSL allows client/server applications to communicate across a network in a way that prevents eavesdropping, tampering, and message forgery.

SSL uses certificates to verify communication and encrypt message. The certificate issuer (also known as the certificate authority or CA) is an organization that issues digital certificates (digital IDs). These digital IDs (called keys) authenticate the identity of people and organizations over a public system such as the Internet. These keys also allow senders and receivers to encrypt messages and un-encrypt replies.

During discovery and nightly auto-discovery, SL1 can search for all SSL certificates. If you specify a discovery level and/or a rediscovery level of "2" or greater (in the Behavior Settings page), SL1 will then collect information about each discovered SSL certificate. You can specify values in the Asset & SSL Certificate Expiry fields (also in the Behavior Settings page), and SL1 will generate the following events to remind you when an SSL certificate is about to expire or has expired:

  • SSL Certificate due to expire soon. This event will be launched at the time specified in the Behavior Settings page, in the SSL Certificate Expiry Soon field.
  • SSL Certificate due to expire imminently. This event will be launched at the time specified in the Behavior Settings page, in the SSL Certificate Expiry Imminent field.
  • SSL certificate has expired.
  • SSL certificate has been renewed. This event will be launched when an SSL certificate has been renewed.

In the SSL Certificate Monitoring page (Registry > Monitors > SSL Certificates) you can view a list of all discovered SSL certificates and their expiration dates.

Use the following menu options to navigate the SL1 user interface:

  • To view a pop-out list of menu options, click the menu icon ().
  • To view a page containing all of the menu options, click the Advanced menu icon ().

System Settings that Affect SSL Certificates in SL1

In the Behavior Settings page (System > Settings > Behavior), the following settings affect how SL1 monitors SSL Certificates:

  • Initial Discovery Scan Level. Specifies the data to be gathered during the discovery session. The options are:
  • 0. Model Device Only. Discovery tool will discover if device is up and running and if so, collect the make and model of the device. SL1 will then generate a device ID for the device, so it can be managed by SL1.
  • 1. Initial Population of Apps. Discovery tool will search for Dynamic Applications to associate with the device. Discovery will also perform "0. Model Device Only" discovery.
  • 2. Discover SSL Certificates. Discovery tool will search for SSL certificates and retrieve SSL data. Discovery tool will also perform "1. Initial Population of Apps", and "0. Model Device Only".
  • 3. Discover Open Ports. Discovery tool will search for open ports. Discovery tool will also perform "2. Discover SSL Certificates", "1. Initial Population of Apps", and "0. Model Device Only".

NOTE: If your system includes a firewall and you select option 4, discovery may be blocked and/or may be taxing to your network.

  • 4. Advanced Port Discovery. Discovery tool will search for open ports, using a faster TCP/IP connection method. Discovery tool will also perform "2. Discover SSL Certificates", "1. Initial Population of Apps", and "0. Model Device Only".
  • 5. Deep discovery. Discovery tool will perform advanced OS/service fingerprinting on detected open ports.

NOTE: If your system includes a firewall and you select option 4, some auto-discovered devices may remain in a pending state (purple icon) for some time after discovery. These devices will achieve a healthy status, but this might take several hours.

  • Rediscovery Scan Level (Nightly). Specifies the data to be gathered/updated each night during the rediscovery process. The Rediscovery process will find any changes to previously discovered devices and will also find any new devices added to the network. The options are the same as those described for Initial Discovery Scan Level.
  • SSL Certificate Expiry Soon. Specifies when SL1 should notify the user that the SSL Certificate is about to expire soon. The choices range from 1 day to 9 months. When the time between the current date and the expiry date of an SSL Certificate is less than the selected value, SL1 will generate an event with a severity of Minor. The event message will say "SSL certificate due to expire soon." When you renew the certificate, SL1 will generate a healthy event which will clear the outstanding SSL expiration event(s).
  • SSL Certificate Expiry Imminent. Specifies when SL1 should send a more urgent notification to the user that the SSL Certificate is about to expire imminently. The choices range from 1 day to 9 months. When the time between the current date and the expiry date of an SSL Certificate is less than the selected value, SL1 will generate an event with a severity of Major. The event message will say "SSL certificate due to expire imminently." When you renew the certificate, SL1 will generate a healthy event which will clear the outstanding SSL expiration event(s).

Viewing the List of SSL Certificates

To view the list of discovered SSL certificates:

  1. Go to theSSL Certificate Monitoring page (Registry > Monitors > SSL Certificates).
  2. The SSL Certificate Monitoring page displays a list of all SSL Certificates discovered by SL1.
  3. For each discovered SSL certificate, the SSL Certificate Monitoring page displays the following information:

To sort the list of SSL certificates, click on a column heading. The list will be sorted by the column value, in ascending order. To sort by descending order, click the column heading again. The Expiration Date column sorts by descending order on the first click; to sort by ascending order, click the column heading again.

  • Certificate Organization. Name of the certificate issuer. If the certificate does not include this information, this field will display "Not Specified".
  • Expiration Date. Date and time at which the SSL certificate expires. To continue to use the SSL certificate, you must renew it before this date and time.
  • Cert ID. Unique, numeric ID, assigned to the monitoring policy automatically by SL1.
  • Device Name. Name of the device associated with the SSL certificate.
  • IP Address. IP address of the device associated with the SSL certificate. This is the IP address SL1 uses to communicate with the device.
  • Device Category. Device category of the device associated with the SSL certificate.
  • Organization. Organization for the device associated with the SSL certificate.

Filtering the List of SSL Certificates

You can filter the list on the SSL Certificate Monitoring page by one or more parameters. Only SSL certificates that meet all the filter criteria will be displayed in the SSL Certificate Monitoring page.

To filter by parameter, enter text into the desired filter-while-you-type field. The SSL Certificate Monitoring page searches for SSL certificates that match the text, including partial matches. By default, the cursor is placed in the left-most filter-while-you-type field. You can use the <Tab> key or your mouse to move your cursor through the fields. The list is dynamically updated as you type. Text matches are not case-sensitive.

You can also use special characters to filter each parameter.

Filter by one or more of the following parameters:

  • Certificate Organization. The organization that issued the certificate. This is sometimes called a Certificate Authority.
  • Expiration Date. Only those SSL certificates that have the specified expiration date will be displayed. The choices are:
  • All. Display all SSL certificates that match the other filters.
  • Past. Display only SSL certificates that have already expired.
  • Next Week. Display only SSL certificates that will expire within the next week.
  • Next Month. Display only SSL certificates that will expire within the next month.
  • Next Six Months. Display only SSL certificates that will expire within the next six months.
  • Next Year. Display only SSL certificates that will expire within the next year.
  • Cert ID. You can enter text to match, including special characters, and the SSL Certificate Monitoring page will display only SSL certificates that have a matching cert ID.
  • Device Name. You can enter text to match, including special characters, and the SSL Certificate Monitoring page will display only SSL certificates aligned with a device with a matching device name.
  • IP Address. You can enter text to match, including special characters, and the SSL Certificate Monitoring page will display only SSL certificates aligned with a device with a matching IP address.
  • Device Category. You can enter text to match, including special characters, and the SSL Certificate Monitoring page will display only SSL certificates aligned with a device with a matching device category.
  • Organization. You can enter text to match, including special characters, and the SSL Certificate Monitoring page will display only SSL certificates that have a matching organization.