A TLS (or SSL) certificate expiration should never be the cause of an outage, but we’ve all heard about this happening before. If it does happen, it usually causes a high impact, so follow these tips to help track your TLS validity.

You can easily monitor TLS expiration using Nagios XI. A lot of the Nagios check plugins that come with Nagios XI support TLS. Note the options are slightly different among the plugins. Here is a partial list:

check_clamd [-D <warn days cert expire>[,<crit days cert expire>]] [-S <use SSL>]

check_http [-S, --ssl=VERSION[+] [-C <warn_age>[,<crit_age>]]

check_imap [-D <warn days cert expire>[,<crit days cert expire>]] [-S <use SSL>]

check_ldap -S [--ssl] - NOTE: unfortunately does not yet track expiration, though it's in the works apparently from the looks of some recent (yet perfect) updates on github.

check_mysql

check_tcp

In fact, some of these plugins (check_clamd, check_imap are just soft links to check_tcp), so they all support TLS in the exactly same way.

If you are already using any of these plugins, it’s very easy to add TLS support by adding the “-S” parameter (after “SSL” which is deprecated, but still supported if you need it. The “-S” option supports both TLS and SSL.) Unfortunately, the only validity checked is the validity time; the issuer (root cert signed) verification does not take place.

PRO TIP: Use the “-D” option in most cases (except for check_http, where it’s “-C”) to have Nagios check for certificate expiration, so you’re notified in case your certificate is nearing its expiration date.