PRTG Manual: SSL Certificate Sensor

DNS name

Enter the Domain Name System (DNS) name in the settings of the parent device exactly as it is written in your certificate. You can also use wildcards.

Revocation status

To check the revocation status of a certificate, the sensor uses WinHTTP to auto-detect the proxy server to use. You can also manually define a server. If you do not define a proxy server, PRTG uses the default WinHTTP proxy settings. For more information, see the Knowledge Base: How can I configure the WinHTTP proxy settings for the SSL Certificate sensor?

Limits

This sensor has predefined limits for several metrics.

IPv6

This sensor supports IPv6.

Performance impact

This sensor has a very low performance impact.

Lookups

This sensor uses lookups to determine the status values of one or more channels.

Port

Enter the number of the port to which this sensor connects. Enter an integer. The default port is 443.

Virtual Host (SNI Domain)

Define the host name that the sensor tries to query if your server has multiple certificates on the same IP address and port combination. Enter a string.

In the case of virtual hosting, you must identify the specific certificate for a specific domain while all domains use the same IP address, you can use SNI, which is an extension of TLS.

If you select a Certificate Name Validation option below, the sensor compares the common name and optionally alternative names with the SNI. Leave this field empty to validate the common name with the host address of the parent device.

Certificate Name Validation

Define if you want the sensor to validate the certificate name:

• Do not compare common name (CN) with device address or SNI (default): Do not check if the certificate name is valid by comparing it with the address of the parent device or the defined SNI.
• Compare and show down status if common name (CN) and address/SNI do not match: Check the common name to validate the certificate name. If you define an SNI above, the sensor compares the common name with the SNI. If you do not define an SNI, the sensor uses the host address of the parent device. If the common name and the checked address/SNI do not match, the sensor shows the Down status.
• Compare and show down status if common name (CN)/alternative names (SAN) and address/SNI do not match: Check the common name and the Subject Alternative Names (SAN) to validate the certificate. If you define an SNI domain above, the sensor compares the common name and alternative names with the SNI. If you do not define an SNI, the sensor uses the host address of the parent device. If the common name or alternative names and the checked address/SNI do not match, the sensor shows the Down status.

Use SOCKS Proxy (v5 only)

Define if the sensor uses a SOCKS proxy server for the sensor connection:

• Do not use SOCKS proxy(default): Directly connect to the target host without using a SOCKS proxy.
• Use SOCKS proxy: Connect using SOCKS5. Provide data for the SOCKS connection below.
  Other SOCKS versions are not supported.

This sensor only supports SOCKS5 proxies. It does not support HTTP proxies.

Server

This setting is only visible if you select Use SOCKS proxy above.

Enter the IP address or host name of the proxy server that the sensor uses for connection.

Port

This setting is only visible if you select Use SOCKS proxy above.

Enter the port number of the proxy server that the sensor uses for connection.

User Name

This setting is only visible if you select Use SOCKS proxy above.

If the proxy server requires authentication, enter a user name.

Password

This setting is only visible if you select Use SOCKS proxy above.

If the proxy server requires authentication, enter the password for the user you specified above.

Result Handling

Define what PRTG does with the sensor result:

• Discard result (default): Do not store the sensor result.
• Store result: Store the last sensor result to the \Logs\sensors subfolder of the PRTG data directory on the probe system. The file names are Result of Sensor [ID].Data.txt, Result of Sensor [ID] (Certificate 0 in Certificate Chain).cer, Result of Sensor [ID] (Certificate 1 in Certificate Chain).cer, Result of Sensor [ID] (Certificate 2 in Certificate Chain).cer, Result of Sensor [ID] (Certificate Chain).txt, and Result of Sensor [ID] (Certificate).cer. This setting is for debugging purposes. PRTG overwrites these files with each scanning interval.

This option is not available when the sensor runs on the hosted probe of a PRTG Hosted Monitor instance.

In a cluster, PRTG stores the result in the PRTG data directory of the master node.

Primary Channel

Select a channel from the list to define it as the primary channel. In the device tree, PRTG displays the last value of the primary channel below the sensor's name. The available options depend on what channels are available for this sensor.

You can set a different primary channel later by clicking below a channel gauge on the sensor's Overview tab.

Graph Type

Define how this sensor shows different channels:

• Show channels independently (default): Show a graph for each channel.
• Stack channels on top of each other: Stack channels on top of each other to create a multi-channel graph. This generates a graph that visualizes the different components of your total traffic.
  You cannot use this option in combination with manual Vertical Axis Scaling (available in the channel settings).

Stack Unit

This setting is only visible if you select Stack channels on top of each other above.

Select a unit from the list. PRTG stacks all channels with this unit on top of each other. By default, you cannot exclude single channels from stacking if they use the selected unit. However, there is an advanced procedure to do so.

*.wildcard.com for www.wildcard.com

Works

api.wildcard.com for api.wildcard.com

Works

contoso.com for contoso.com

Works

*.subapi.subapi2.wildcard.com for de.subapi.subapi2.wildcard.com

Works

*. *.wildcard.com for www.de.wildcard.com

Not supported

*.wildcard.com for de.subapi.wildcard.com

Doesn't work

www.contoso.com for contoso.com

Doesn't work

subapi.*.wildcard.com for subapi.dns.wildcard.com

Doesn't work

Common Name Check

If the common name or subject-alternative names match the host address or SNI (if you select a Certificate Name Validation option)

• Up status: CN/SAN Match, Disabled, Matches Device Address, Matches SNI
• Down status: CN/SAN Do Not Match SNI, Does Not Match Device Address, Does Not Match SNI

Days to Expiration

The days to expiration with a predefined lower warning limit (28 days) and lower error limit (7 days)

This channel is the primary channel by default.

This channel has default limits:

• Lower error limit: 7
• Lower warning limit: 28

Downtime

In the channel table on the Overview tab, this channel never shows any values. PRTG uses this channel in graphs and reports to show the amount of time in which the sensor was in the Down status

Public Key Length

The public key length

• Up status:
  • RSA keys: For 2048-bit keys (good security) and longer (perfect security)
  • ECC keys: For 128-bit and 192-bit keys (good security) and longer (perfect security)
• Warning status: For weak security
• Down status: For shorter keys (unsecure)
• Unknown status: Unknown

Revoked

If the certificate has been revoked

• Up status: No
• Warning status: Unable To Check Revocation Status
• Down status: Yes

Root Authority Trusted

If the certificate is trusted as root authority

• Up status: Yes
• Warning status: No

Self-Signed

If a self-signed certificate is used

• Up status: No, Yes