Catchpoint’s SSL monitor periodically checks the validity of SSL certificates installed on your web server so you can be alerted when they are approaching expiration. It also detects certificate revocation, hostname mismatch, and if any certificate in the entire chain is signed by a weak algorithm.
Why monitor SSL certificates?
There are many reasons why you should monitor SSL certificates. A few key reasons are listed below:
- Expired certificates can negatively impact your organization’s websites, applications, and security.
- Expired SSL certificates compromise the trust and integrity of the site, making it vulnerable for hackers to target and breach.
- When an SSL certificate expires and loses validity, secure networks and browsers may not allow access to your site, rendering it unavailable.
- According to Symantec, 90% of consumers end transactions upon getting an SSL warning and 72% abandon transactions or go to competitor sites.
Using the SSL Monitor
Below is the screen showing the properties Catchpoint’s SSL monitor. The layout is similar to the other Catchpoint monitors.
Note that the URL starts with ‘SSL://’ and not ‘HTTPS://’. This is because Catchpoint’s SSL monitor harvests SSL certificates at the TCP level, so it doesn't matter application protocol your server is using (HTTPS, SMTPS, POPS, IMAPS, FTPS, WSS, MQTTS, etc) as all such protocols are supported.
Certificate pinning
The SSL monitor can be used to check certificate pinning. Use these checkboxes to enforce specific pinning.
After enabling any pinning option, you need to upload the certificate and the corresponding passphrase (certificate password). For the certificate, only .pfx (usually contains data in PKCS#12 format) is supported since it can securely store multiple certificates with the corresponding private key.
Enforce Certificate Pinning
Select this flag to pin the full certificate. Here the monitor checks the entire certificate chain with pre-loaded certificates (a combination of Root CA, Intermediate CAs, and End entity certificate).
After the test is run, you can see the pinned certificate thumbprint and the actual certificate thumbprint of the host certificate on the waterfall page.
Enforce Public Key Pinning
Select this flag to pin the certificate public key. Here the monitor checks the public key of the server certificate (any certificate invalid chain) with the stored public key.
After the test is run, you can see the pinned public key thumbprint and the actual public key thumbprint of the host certificate on the waterfall page.
Certificate Revocation Disabled
Under Advanced Settings, you can select Certificate Revocation Disabled. This keeps the test from checking certificate revocation, which is handy if the website uses a self-signed certificate or when you create a custom certificate without the ‘CRL Distribution Points’ extension.
Certificate details captured by the monitor
The below table lists the certificate details captured by the SSL monitor.
Sl No | Field name | Description |
1 | Version number | The X.509 format version of a certificate |
2 | Serial number | Used to uniquely identify the certificate within a CA's systems. This is used to track revocation information. |
3 | Signature algorithm | The algorithm used to sign the public key certificate. |
4 | Issuer | The entity that verified the information and signed the certificate. |
5 | Not Before | Issue date - the earliest time and date on which the certificate is valid. |
6 | Not After | Expire date - the time and date past which the certificate is no longer valid. |
7 | Subject | The entity a certificate belongs to a machine, an individual, or an organization. |
8 | Public Key Parameters | The field holds an elliptic curve per RFC 5480 section 2.1.1. The value “05 00” simply means NULL in DER (and CER and BER) per RFC. |
9 | Public Key | A public key belonging to the certificate subject. |
10 | Key Usage | The valid cryptographic uses of the certificate's public key. Common values include digital signature validation, key encipherment, and certificate signing. |
11 | Extended Key Usage | The applications in which the certificate may be used. Common values include TLS server authentication, email protection, and code signing. |
12 | Certificate Signature Algorithm | The algorithm used to create the signature of a certificate. |
13 | Certificate Signature / Thumbprint | A signature of the certificate body by the issuer's private key. |
14 | Key Usage | The Key Usage extension defines the purpose of the key contained in the certificate. The Key Usage, Extended Key Usage, and Basic Constraints extensions act together to specify the purposes for which a certificate can be used. OID is 2.5.29.15. |
15 | Authority Information Access | The Authority Information Access extension indicates how and where to access information about the issuer of the certificate. OID is 1.3.6.1.5.5.7.1.1. |
16 | Certificate Policies | The Certificate Policies extension defines one or more policies, each of which consists of an OID and optional qualifiers. The extension can include a URI to the issuer's Certificate Practice Statement or can embed issuer information, such as a user notice in text form. OID is 2.5.29.32. |
17 | Basic Constraints | This extension is used during the certificate chain verification process to identify CA certificates and to apply certificate chain path length constraints. OID is 2.5.29.19. |
18 | CRL Distribution Points | This extension defines how CRL (Certificate Revocation List) information is obtained. It should be used if the system is configured to use CRL issuing points. OID is 2.5.29.31. |
19 | Subject Alternative Name | The Subject Alternative Name extension includes one or more alternative (non-X.500) names for the identity bound by the CA to the certified public key. OID is 2.5.29.17. |
20 | Enhanced Key Usage | The Extended Key Usage extension indicates the purposes for which the certified public key may be used. These purposes may be in addition to or in place of the basic purposes indicated in the Key Usage extension. OID is 2.5.29.37. |
21 | Subject Key Identifier | The Subject Key Identifier extension identifies the public key certified by this certificate. This extension provides a way of distinguishing public keys if more than one is available for a given subject name. OID is 2.5.29.14. |
22 | Authority Key Identifier | The Authority Key Identifier extension identifies the public key corresponding to the private key used to sign a certificate. This extension is useful when an issuer has multiple signing keys, such as when a CA certificate is renewed. OID is 2.5.29.35. |
23 | Certification Path | Chain of trust built using the certification path validation algorithm. |
Other metrics captured by the monitor
The below table lists the metrics captured by the SSL monitor other than the basic certificate details.
| Sl No | Metric name | Description |
|---|---|---|
| 1 | DNS time | DNS resolution time in milliseconds. |
| 2 | Host details | Details like the Name, IP address, and port of the host. |
| 3 | Connect time | The time it took to connect to the host in milliseconds. |
| 4 | SSL time | The total SSL handshake time in milliseconds. |
Complete list of SSL monitor errors:
| Error Code | Error Name | Description |
|---|---|---|
| 60 | NotTimeValid | Specifies that the X509 chain is not valid due to an invalid time value, such as a value that indicates an expired certificate. |
| 61 | NotTimeNested | Deprecated. Specifies that the CA (certificate authority) certificate and the issued certificate have validity periods that are not nested. For example, the CA cert can be valid from January 1 to December 1, and the issued certificate from January 2 to December 2, which would mean the validity periods are not nested. |
| 62 | Revoked | Specifies that the X509 chain is invalid due to a revoked certificate. |
| 63 | NotSignatureValid | Specifies that the X509 chain is invalid due to an invalid certificate signature. |
| 64 | NotValidForUsage | Specifies that the key usage is not valid. |
| 65 | UntrustedRoot | Specifies that the X509 chain is invalid due to an untrusted root certificate. |
| 66 | RevocationStatusUnknown | Specifies that it is not possible to determine whether the certificate has been revoked. This can be due to the certificate revocation list (CRL) being offline or unavailable. |
| 67 | Cyclic | Specifies that the X509 chain could not be built. |
| 68 | InvalidExtension | Specifies that the X509 chain is invalid due to an invalid extension. |
| 69 | InvalidPolicyConstraints | Specifies that the X509 chain is invalid due to invalid policy constraints. |
| 70 | InvalidBasicConstraints | Specifies that the X509 chain is invalid due to invalid basic constraints. |
| 71 | InvalidNameConstraints | Specifies that the X509 chain is invalid due to invalid name constraints. |
| 72 | HasNotSupportedNameConstraint | Specifies that the certificate does not have a supported name constraint or has a name constraint that is unsupported. |
| 73 | HasNotDefinedNameConstraint | Specifies that the certificate has an undefined name constraint. |
| 74 | HasNotPermittedNameConstraint | Specifies that the certificate has an impermissible name constraint. |
| 75 | HasExcludedNameConstraint | Specifies that the X509 chain is invalid because a certificate has excluded a name constraint. |
| 76 | PartialChain | Specifies that the X509 chain could not be built up to the root certificate. |
| 77 | CtlNotTimeValid | Specifies that the certificate trust list (CTL) is not valid because of an invalid time value, such as one that indicates that the CTL has expired. |
| 78 | CtlNotSignatureValid | Specifies that the certificate trust list (CTL) contains an invalid signature. |
| 79 | CtlNotValidForUsage | Specifies that the certificate trust list (CTL) is not valid for this use. |
| 80 | OfflineRevocation | Specifies that the online certificate revocation list (CRL) the X509 chain relies on is currently offline. |
| 81 | NoIssuanceChainPolicy | Specifies that there is no certificate policy extension in the certificate. This error would occur if a group policy has specified that all certificates must have a certificate policy. |
| 82 | NoCertificateFound | Specifies that the certificate is not available at the server (like if HTTP website is provided) |
| 83 | WeakAlgorithm | Specifies that the certificate has not been strong signed. Typically, this indicates that the MD2 or MD5 hashing algorithms were used to create a hash of the certificate. |
| 84 | InvalidCommonName | Specifies that the certificate name is not matching with that of the hostname to which it is issued. |
| 85 | NoCommonAlgorithm | Specifies that the client and server cannot communicate, because they do not possess a common algorithm (like if on server TLS 1.0 is disabled for security reasons and the client didn´t speak TLS 1.1 or TLS 1.2). |
| 86 | HandshakeFailure | Specifies that the SSL handshake between client and server failed (like unsupported cipher) |
| 87 | MissingSan | Specifies that the Subject Alternate Name extension is missing in the certificate. |
| 89 | PinnedCertificateMismatch | Specifies that the pinned certificate thumbprint did not match with the host certificate thumbprint. |
| 90 | PinnedPublicKeyMismatch | Specifies that the pinned certificate public key did not match with the host certificate public key. |
| 91 | PinnedCertificateAndPublicKeyMismatch | Specifies that both the pinned certificate thumbprint and the pinned public key did not match with the host certificate. |