Help Docs

SSL/TLS certificate monitoring

SSL/TLS certificates encrypt the data transferred to and from the website of the certificate holder. Site24x7's SSL/TLS Certificate monitor does multiple checks like certificate validity (to notify you about the expiry of your domain's SSL/TLS certificate in advance), OCSP checks (to inform you about any revoked certificate), and blacklisted checks (to notify you about any potential blacklisted certifying authority). Additionally, you can also set up SHA-1 Fingerprint threshold to detect any potential certificate tampering. This way, you can be sure of providing a safe environment for your website visitors and also enhance the credibility of your website.

Add an SSL/TLS Certificate monitor

  1. Login to Site24x7.
  2. Click Admin > Inventory > Monitor > Add Monitors.
  3. Select SSL/TLS Certificate from the Add Monitors page.
  4. Specify the following details to add this monitor:
      • Display Name: Provide a name to identify this monitor in the dashboard.
      • Host and Port: Specify the IP address or domain name of the host, and the port number. You can configure protocols such as HTTPS, POPS, SMTPS, IMAPS, FTPS. The host must accept an SSL/TLS handshake on the port.

        Note

        Default port for HTTPS is 443.

      • Add Bulk Hosts/IPs:
        If you wish to add more hosts or IPs in bulk for monitoring, you can do the same by clicking the link Add Bulk Hosts/IPs next to the Host and Port field. 
        • Continuous Check
          • Sitemap
            Take for instance that you've a sitemap where many URLs are listed, you can submit the sitemap URL along with a Rediscovery Interval or frequency for the sitemap to be checked. This can help in automatically adding or removing the URLs that were added or removed. Moreover, the monitors added for the URLs will be suspended when the URL is removed from the sitemap. Also, the monitors will be added in bulk based on your license limit. When URLs are added, the URLs will be crawled for monitoring. 
          • Google Sheets
            You can also add your sheets with list of URLs for monitoring. To add your Google sheets for monitoring, you can follow this format. Example: https://sheet.zoho.com/api/v2/download/?method=workbook.download&format=csv
            * sheetName-Sheet1
            * sheetId-Unique Id
            * apiKey-Created API key

            Read the document to learn how to create API keys
          • CSV
            You can also submit your URLs in CSV format. Read this to know more about submitting in CSV format. To view the imported monitors, you can navigate to Admin > Import Monitors. On the Import Monitors page, you are provided with an option to disable or enable the import process. Monitors added using Continuous Check will be listed with System tag. You can also add your URLs.
          • URL
            Through crawling all the URLs within the submitted URL will be selected for monitoring. 
            • Upload File: You can opt to submit your URLs together as a file using this option. 
            • Manual: You can opt to upload your URLs directly using this option. Check the expiration dates of your domains by adding a Domain Expiry monitor.
      • STARTTLS: Enabling this option will establish a secured connection after an initial unencrypted connection using a single port.
      • Certificate expiry threshold: A notification is raised this many days before the certificate expires. Your monitor turns to trouble as and when this threshold is breached.
      • Skip hostname verification: Do not verify that the hostname on the certificate matches the host specified above. Enable this if you've specified an IP address or a different hostname than on the certificate.
      • Ignore trust certification path: Use this option to validate the SSL/TLS certificate chain. Enable this if you don't wish to identify any potential revocation information about your host's certificate. By default, this will be disabled to allow detection of any potential revocation of your host's certificate.
        Note

        When an SSL/TLS Certificate trust check fails, it may be due to conditions like, Self-signed certificate, Intermediate certificates missing, or Intermediate certificate chain incorrect. Site24x7 will correctly identify and highlight this issue in the Monitor Details Summary tab. For any other condition, the default message will be shown.

      • Force IP Address: You can enter the IP address of the domain name given in the host field above. This IP will be resolved directly instead of first resolving the domain name and then the IP.
      • Monitoring locations: Choose an existing Location Profile or create a new one. SSL/TLS certificate checks will be performed from the primary location alone.
        Note

        To know more, refer Location Profile.

      • Monitor Groups: Choose an existing Monitor Group or create a new one. Monitors can be organized into Monitor Groups to ease administration. 
        To learn how to create a monitor group for your monitors, refer Monitor Groups.
      • Dependent on monitor: Pick a monitor from the drop-down list to specify it as your dependent resource. You can add up to 5 monitors as dependent resources. Alerts to your monitor will be suppressed based on the Down status of your dependent resource.
        Note

        Configuring a dependent resource and suppressing alerts based on the dependent resource's status is part of providing you with better false alerts protection. Learn more about alert suppression at monitor level.


        Note

        If you select None in the dependent resource field, alerting will progress as per your normal configuration settings. No alerts will be suppressed in this case as the monitor doesn't have any dependent resource.


        Note

        Multiple monitor group support for monitors allow a monitor to be associated with multiple dependent resources in different monitor groups. If during a normal monitor status check, any one of these dependent resources' status is identified as Down, the alert for the monitor will be automatically suppressed. However, the dependency configuration at monitor level is always given the higher priority over any other monitor group level dependency configuration for suppressing alerts.

  5. Specify the following details for Configuration Profiles:
    • Threshold and Availability: Pick a preset threshold profile from the drop down list or create a threshold to get notified when the SHA-1 Fingerprint check fails or before your certificate expires.
      Note

      Tell me more about setting up a threshold profile for an SSL/TLS Certificate.

    • Tags: Associate your monitor with predefined Tag(s) to help organize and manage your monitors creatively. Learn how to add Tags.
    • IT Automation: Select an automation to be executed when the website is down/trouble/up/any status change/any attribute change. The defined action gets executed when there is a state change and selected user groups are alerted.
      To automate corrective actions on failure, refer IT Automation.
    • Exclude IT Automation during Scheduled Maintenance: Use the check box to enable this option and to exclude automation during maintenance.
  6. Alert Settings: 
    • User Alert Group: Select the user alert group that needs to be alerted during an outage. To add multiple users in a group, see User Groups.
    • Checks Performed: Site24x7 performs the following checks to detect and validate whether the certificate issued by the CA is valid, cancelled, or blacklisted:
      • Certificate Validity: Check the trustworthiness and validity of the SSL/TLS Certificate. To verify whether the certificate of the issuing certifying authority (CA) was issued by a trusted CA or not, Site24x7 will try to access the end-user certificate and all intermediate certificates issued by CAs. If the SSL/TLS certificate chain is found as invalid or broken, your certificate will be deemed untrusted and invalid. However, if a secure connection can be established–the certificate will then be deemed trusted and valid.
      • Online Certificate Status Protocol (OCSP) checks: OCSP check facilitates easy validation of the revocation status of an SSL/TLS Certificate. Site24x7 queries the issuing certifying authority's OCSP server using the certificate's serial number and based on the response, detects whether a certificate is revoked or not.
      • Blacklisted Checks: Site24x7 checks whether your SSL/TLS CA is blacklisted or not, by cross checking with the available list of blacklisted CA's.

        Note

        All the above checks except OCSP check will be carried out automatically, by default. However, OCSP check can be performed only when you enable Site24x7 to detect the SSL/TLS certificate chain.

    • On-Call Schedule: The On-Call Schedule option helps you to ensure that the notifications are sent to assignees in specific shift hours helping them to quickly respond to alerts or incidents. Choose an On-Call of your preference from the drop-down.
    • Notification Profile: Choose a notification profile from the drop-down or select the default profile available. Notification profile helps to configure when and who needs to be notified in case of downtime. In the Notification Profile form, you can only customize email templates for down/trouble alerting. Other parameters will be disabled, by default.
    Note

    You can receive alerts if the monitors are associated to user groups irrespective of the On-Call shift you've configured.

  7. Third-Party Integration: Associate your monitor with a pre-configured third-party service. It lets you push your monitor alarms to selected services and facilitate improved incident management. If you haven't setup any integrations yet, navigate across to Admin > Third-Party Integration to create one. Tell me more.
  8. Click Save.
    Note

    Once the monitor setup is completed, Site24x7 deep discovery wizard scans your domain and auto-detects all related internet resources for your domain that can be added to your account for comprehensive internet services monitoring. Explore more about internet services deep discovery.

Learn more about the various performance metrics of the SSL/TLS Certificate monitor. To understand the distinction between our various internet service monitoring capabilities, read more

All you need to know about our SSL/TLC certificate monitor.

Was this document helpful?

Would you like to help us improve our documents? Tell us what you think we could do better.


We're sorry to hear that you're not satisfied with the document. We'd love to learn what we could do to improve the experience.


Thanks for taking the time to share your feedback. We'll use your feedback to improve our online help resources.

Shortlink has been copied!