PRTG Manual: SSL Certificate Sensor

The SSL Certificate sensor monitors the certificate of a Secure Sockets Layer (SSL)/Transport Layer Security (TLS) secured connection.

i_round_blueThe sensor also shows the certificate common name and the certificate thumbprint in the sensor message.

SSL Certificate Sensor

SSL Certificate Sensor

i_square_cyanFor a detailed list and descriptions of the channels that this sensor can show, see section Channel List.

Sensor in Other Languages

  • Dutch: SSL Certificaat
  • French: SSL certificat
  • German: SSL-Zertifikat
  • Japanese: SSL 証明書
  • Portuguese: Certificado SSL
  • Russian: Сертификат SSL
  • Simplified Chinese: SSL 证书
  • Spanish: Certificado SSL

Remarks

Consider the following remarks and requirements for this sensor:

Remark

Description

DNS name

Enter the Domain Name System (DNS) name in the settings of the parent device exactly as it is written in your certificate. You can also use wildcards.

Revocation status

To check the revocation status of a certificate, the sensor uses WinHTTP to auto-detect the proxy server to use. You can also manually define a server. If you do not define a proxy server, PRTG uses the default WinHTTP proxy settings. For more information, see the Knowledge Base: How can I configure the WinHTTP proxy settings for the SSL Certificate sensor?

Limits

This sensor has predefined limits for several metrics.

IPv6

This sensor supports IPv6.

Performance impact

This sensor has a very low performance impact.

Lookups

This sensor uses lookups to determine the status values of one or more channels.

Basic Sensor Settings

Basic Sensor Settings

Basic Sensor Settings

The sensor has the following default tags that are automatically predefined in the sensor's settings when you add the sensor:

  • certificate
  • ssl
  • sslcertificate

i_square_cyanFor more information about basic sensor settings, see section Sensor Settings.

SSL Certificate Specific

SSL Certificate Specific

SSL Certificate Specific

Setting

Description

Port

Enter the number of the port to which this sensor connects. Enter an integer. The default port is 443.

Virtual Host (SNI Domain)

Define the host name that the sensor tries to query if your server has multiple certificates on the same IP address and port combination. Enter a string.

i_round_blueIn the case of virtual hosting, you must identify the specific certificate for a specific domain while all domains use the same IP address, you can use SNI, which is an extension of TLS.

i_round_blueIf you select a Certificate Name Validation option below, the sensor compares the common name and optionally alternative names with the SNI. Leave this field empty to validate the common name with the host address of the parent device.

Certificate Name Validation

Define if you want the sensor to validate the certificate name:

  • Do not compare common name (CN) with device address or SNI (default): Do not check if the certificate name is valid by comparing it with the address of the parent device or the defined SNI.
  • Compare and show down status if common name (CN) and address/SNI do not match: Check the common name to validate the certificate name. If you define an SNI above, the sensor compares the common name with the SNI. If you do not define an SNI, the sensor uses the host address of the parent device. If the common name and the checked address/SNI do not match, the sensor shows the Down status.
  • Compare and show down status if common name (CN)/alternative names (SAN) and address/SNI do not match: Check the common name and the Subject Alternative Names (SAN) to validate the certificate. If you define an SNI domain above, the sensor compares the common name and alternative names with the SNI. If you do not define an SNI, the sensor uses the host address of the parent device. If the common name or alternative names and the checked address/SNI do not match, the sensor shows the Down status.

Connection Specific

Connection Specific

Connection Specific

Setting

Description

Use SOCKS Proxy (v5 only)

Define if the sensor uses a SOCKS proxy server for the sensor connection:

  • Do not use SOCKS proxy(default): Directly connect to the target host without using a SOCKS proxy.
  • Use SOCKS proxy: Connect using SOCKS5. Provide data for the SOCKS connection below.
    i_round_blueOther SOCKS versions are not supported.

i_round_blueThis sensor only supports SOCKS5 proxies. It does not support HTTP proxies.

Server

This setting is only visible if you select Use SOCKS proxy above.

Enter the IP address or host name of the proxy server that the sensor uses for connection.

Port

This setting is only visible if you select Use SOCKS proxy above.

Enter the port number of the proxy server that the sensor uses for connection.

User Name

This setting is only visible if you select Use SOCKS proxy above.

If the proxy server requires authentication, enter a user name.

Password

This setting is only visible if you select Use SOCKS proxy above.

If the proxy server requires authentication, enter the password for the user you specified above.

Debug Options

Debug Options

Debug Options

Setting

Description

Result Handling

Define what PRTG does with the sensor result:

  • Discard result (default): Do not store the sensor result.
  • Store result: Store the sensor result and the last response to the \Logs\sensors subfolder of the PRTG data directory on the probe system. The file names are Result of Sensor [ID].Data.txt, Result of Sensor [ID] (Certificate 0 in Certificate Chain).cer, Result of Sensor [ID] (Certificate 1 in Certificate Chain).cer, Result of Sensor [ID] (Certificate 2 in Certificate Chain).cer, Result of Sensor [ID] (Certificate Chain).txt, and Result of Sensor [ID] (Certificate).cer. This setting is for debugging purposes. PRTG overwrites these files with each scanning interval.

i_podThis option is not available when the sensor runs on the hosted probe of a PRTG Hosted Monitor instance.

i_round_blueIn a cluster, PRTG stores the result in the PRTG data directory of the master node.

i_round_blueYou can use the debug option to get a log file with information about the certificate chain. Additionally, certificates in the certificate chain are stored in the log folder (.cer files). This can help you, for example, if you have issues with the Root Authority Trusted channel of this sensor.

Sensor Display

Sensor Display

Sensor Display

Setting

Description

Primary Channel

Select a channel from the list to define it as the primary channel. In the device tree, PRTG displays the last value of the primary channel below the sensor's name. The available options depend on what channels are available for this sensor.

i_round_blueYou can set a different primary channel later by clicking b_channel_primary below a channel gauge on the sensor's Overview tab.

Graph Type

Define how this sensor shows different channels:

  • Show channels independently (default): Show a graph for each channel.
  • Stack channels on top of each other: Stack channels on top of each other to create a multi-channel graph. This generates a graph that visualizes the different components of your total traffic.
    i_round_redYou cannot use this option in combination with manual Vertical Axis Scaling (available in the channel settings).

Stack Unit

This setting is only visible if you select Stack channels on top of each other above.

Select a unit from the list. PRTG stacks all channels with this unit on top of each other. By default, you cannot exclude single channels from stacking if they use the selected unit. However, there is an advanced procedure to do so.

Inherited Settings

By default, all of these settings are inherited from objects that are higher in the hierarchy. We recommend that you change them centrally in the root group settings if necessary. To change a setting for this object only, click b_inherited_enabled under the corresponding setting name to disable the inheritance and to display its options.

i_square_cyanFor more information, see section Inheritance of Settings.

Using Wildcards

You can use wildcards in the IP Address/DNS Name in the device settings. Wildcards that apply to only one level of the domain name are supported.

Example

Result

*.wildcard.com for www.wildcard.com

Works

api.wildcard.com for api.wildcard.com

Works

contoso.com for contoso.com

Works

*.subapi.subapi2.wildcard.com for de.subapi.subapi2.wildcard.com

Works

*. *.wildcard.com for www.de.wildcard.com

Not supported

*.wildcard.com for de.subapi.wildcard.com

Doesn't work

www.contoso.com for contoso.com

Doesn't work

subapi.*.wildcard.com for subapi.dns.wildcard.com

Doesn't work

Channel List

i_round_blueWhich channels the sensor actually shows might depend on the target device, the available components, and the sensor setup.

Channel

Description

Common Name Check

If the common name or subject-alternative names match the host address or SNI (if you select a Certificate Name Validation option)

  • Up status: CN/SAN Match, Disabled, Matches Device Address, Matches SNI
  • Down status: CN/SAN Do Not Match SNI, Does Not Match Device Address, Does Not Match SNI

Days to Expiration

The days to expiration with a predefined lower warning limit (28 days) and lower error limit (7 days)

i_round_blueThis channel is the primary channel by default.

i_round_blueThis channel has default limits:

  • Lower error limit: 7
  • Lower warning limit: 28

Downtime

In the channel table on the Overview tab, this channel never shows any values. PRTG uses this channel in graphs and reports to show the amount of time in which the sensor was in the Down status.

Public Key Length

The public key length

  • Up status:
    • RSA keys: For 2048-bit keys (good security) and longer (perfect security)
    • ECC keys: For 128-bit and 192-bit keys (good security) and longer (perfect security)
  • Warning status: For weak security
  • Down status: For shorter keys (unsecure)
  • Unknown status: Unknown

Revoked

If the certificate has been revoked

  • Up status: No
  • Warning status: Unable To Check Revocation Status
  • Down status: Yes

Root Authority Trusted

If the certificate is trusted as root authority

  • Up status: Yes
  • Warning status: No

Self-Signed

If a self-signed certificate is used

  • Up status: No, Yes

More

i_square_blueKNOWLEDGE BASE

How can I configure the WinHTTP proxy settings for the SSL Certificate sensor?

What security features does PRTG include?