Certificate Discovery Methods
The extensions uses four methods to discover certificates.
Certificate Auto-discovery
When the extension is deployed locally (on a host with the OneAgent), the extension uses data collected by the OneAgent to collect a list of processes that have listening ports bound to them. Using this information, the extension then attempts to establish a connection on that port and load any certificates that are present.
Windows Active Port Discovery
On Windows hosts, in cases where the OneAgent does not have port information for a particular technology, Active Port Discovery can be used. This feature requires the use of the Get-NetTCPConnection PowerShell tool on Windows systems. Enabling this feature will have no effect on Linux systems.
Scan Windows Certificate Stores
This feature will directly scan the Windows Certificate Store for certificates. This feature uses PowerShell on Windows systems. Enabling this feature will have no effect on Linux systems. This method allows the extension to know which Certificate Store the certificate is stored in.
Remote Domain Discovery
When the extension is deployed on an ActiveGate, certificate monitoring by domain name is possible. This type of monitoring requires that the ActiveGate running the extension has access to the domains that are provided. Adjustments to networking and firewall rules may be required. Based on the list of domains supplied, the extension attempts to establish a connection and load any certificates that are present. When using this method, the extension has no knowledge of the host the certificate is stored on and is unable to form a relationship between the certificate and a host.
Certificate Processing
Once a certificate is collected, it is parsed and useful metadata is collected and pushed to Dynatrace. This information is then available in the form of Certificate entities that, where possible, are related to the host and process that they are discovered through. The default behavior of the extension is to create alerts based on the expiration dates of the certificate.
Configuration
General Settings
Expiration Imminent: The highest level of alerting, indicating that certificate expiration is imminent. Crossing this threshold triggers a problem with the AVAILABILITY severity. Expired certificates will also alert at this alert level.
Expiration Soon: The initial alerting level. Crossing this threshold triggers a problem with the ERROR severity. The certificate not_valid_after date requires attention but expiration is not yet imminent.
Interval between certificate discovery and metadata checks (hours): The frequency with which the extension will update discovered certificates and process the available data. During initial setup and testing, a smaller value may be appropriate. Once the extension is fully configured, an interval of 8 hours is recommended.
In addition to determining how often certificate discovery and metadata updates take place, the check interval determines how problems are resolved. All certificate problems will remain open until a certificate check can confirm that the problem has been resolved. An interval of 24 hours will cause a certificate problem to remain open a minimum of 24 hours. The problem will not resolve until the next check can determine if the problem is resolved.
Unified Analysis Screens and Certificate Status Metric: Unified Analysis Screens contain metadata on all discovered certificates. This features requires the collection of data using the Certificate Status metric (certificate.monitor.status). For the best experience, it is recommended to enable metric collection. When disabled, extension functionality is limited to alert creation and log events. This option consumes DDUs.
Annual DDU consumption is calculated using the following formula: <# of discovered certificates> x <24 / certificate check interval (hours)> x 365 x 0.001. e.g., A single certificate checked every 8 hours will consume ~1.1 (1 x (24/8) x 365 x 0.001) DDUs per year
Advanced Alerting Configuration
Enabling "Advanced Alerting Configuration" provides two additional options to customize alert creation.
Enable alert creation
Disabling alert creation stops all alerts from being created by the extension. This is useful for customers who want to keep an inventory of certificates but not alert on them.
Disable alerts for certificates greater than x days old
By default, alerts will be raised for all expired certificates. Many environments contain long-expired certificates that have not been removed. Enable this feature to suppress problems for certificates that expired more than x days ago.
Port Range Customization
Optional feature to define inclusive and exclusive port ranges during certificate discovery.
Port range to include: A range of ports can be expressed with a hyphen. Individual or groups of ports can be separated with a semicolon. i.e. 443;1024-2000;50000-51000
Port range to exclude: An optional range of ports to exclude. This setting is applied after the include rule. For example, if ports 400-410 are included and port 405 is excluded, the resulting set of ports will be 400-404 and 406-410.
Filter processes by technology type
Optional setting to limit certificate checks to specific technology types. This filter can be set to include only the technologies listed or to exclude the technologies listed from monitoring.
Add Technology: Add a technology to the filter defined above. The technology types available are the "Main Technology" types that are present in process views. Some processes will show multiple entries under "Main technology". Technology type filter uses OR logic. A process that lists "IIS, IIS App Pool and .NET" as main technologies will be monitored if any combination of the technologies is added to this filter.
Add additional SNI domains
Optional setting to configure additional SNI (Server Name Indication) domains
Add Domain: An advanced setting to provide a list of domains to use in with Server Name Indication. SNI is an extension to the TLS protocol which is used in HTTPS. Use this setting to specify the domain name of a website during the initial TLS Handshake instead of when the HTTPS connection opens after the handshake.
Log certificate status
Log certificate status interval: The extension will log event metadata when a certificate is in a warning state. In addition, the extension will also periodically log certificate metadata of certificates in a healthy state. The purpose of this setting is to make it possible to query for certificate metadata regardless of the health state of the certificate.
Check hosts by domain name
Optional list of domains to check directly. The extension will attempt to open a connection to the domains provided. This feature requires that the extension host is able to establish a connection to the domain. Domain monitoring is possible in local installations but it is recommended to deploy this extension remotely (on an ActiveGate) for domain based monitoring.
Add domain: Optionally provide a list of domains that they extension will check directly.
Enable Debug
Check this box to enable debug level logging. Logs are available (by default) on Linux at: /var/lib/dynatrace/remotepluginmodule/log/extensions/datasources and on Windows at: C:\ProgramData\dynatrace\remotepluginmodule\log\extensions\datasources
