All
0 Results filtered by:
We couldn't find any results
You can search all listings, or try a different spelling or keyword. Still nothing? Dynatrace makes it easy to create custom apps.
SSL Certificate MonitorSSL Certificate Monitor
Discover, view and log SSL certificates. Raise configurable expiration alerts.
Extension- Product information
- Release notes
Overview
The SSL Certificate Monitor extension can be deployed on an ActiveGate or on any host with the OneAgent installed.
Both deployments types have configurable alerting intervals, allowing the raising of low severity problems for certificates in a user defined renewal window as well as a high severity alerts for imminently approaching expiration dates.
When deployed on an ActiveGate, the extension can be configured to perform certificate checks by specifying specific domains to check.
When deployed on an OneAgent, the extension will attempt certificate auto-discovery using data provided by the OneAgent.
Use cases
- Discover and monitor certificates on OneAgent-installed hosts.
- Certificates can also be monitored remotely using domain based monitoring on an ActiveGate.
- Configure alerting for certificates that are expiring soon, so action can be taken before expiration.
Extension content
Content typeNumber of items included
screen logs cards
4
screen properties
2
screen layout
4
screen entities lists
5
document dashboard
2
metric metadata
2
list screen layout
2
screen chart groups
4
screen injections
4
screen metric tables
1
generic relationship
4
screen actions
4
dashboards
1
generic type
2
screen dql table
4
Feature sets
Below is a complete list of the feature sets provided in this version. To ensure a good fit for your needs, individual feature sets can be activated and deactivated by your administrator during configuration.
Feature setsNumber of metrics included
| Metric name | Metric key | Description | Unit |
|---|---|---|---|
| Certificate status | certificate.monitor.status | The status of detected certificates | Count |
Full version history
To have more information on how to install the downloaded package, please follow the instructions on this page.
ReleaseDate
Full version history
v1.10.17
This version requires EEC version 1.313+ and cluster version 1.313+.
- Remove incorrectly duplicated assets
- Fix for the "Related certificate" screen in the Infrastructure and Operations app
Full version history
v1.10.13
- Remove incorrectly duplicated assets
- Fix for the "Related certificate" screen in the Infrastructure and Operations app
This version requires EEC version 1.270+ and cluster version 1.309+.
v.1.10.11
New and improved in this version
- Fixed an issue with "Add log entry for healthy certificates" caused by a mismatch between timezone aware and unaware dates. This patch ensures that all uses of datetime in the extension are timezone aware.
v1.10.10
New Feature: Legacy TLS Certificate Collection Support
Background
In environments with older hosts that do not support modern TLS protocols, certificate collection can fail due to protocol mismatches. Previously, these hosts were effectively unreachable for certificate inspection, limiting visibility into legacy systems.
What's Changed
This version introduces fallback support for TLSv1 ciphers during certificate collection. This fallback is only used when the target server does not support higher TLS versions and is confined strictly to certificate gathering operations. We've also added support for DEC error codes, improved handling of certificates missing common_name or alt_name, and introduced a delay mechanism to ensure entities are created before problems are triggered. Support for 3rd generation UA cards has been enhanced, and the dt.security_context field has been added for improved security context tracking. Impact These changes improve compatibility with legacy systems, improve alerting for certificates that are first detected in a problem state and enhance certificate parsing.
New and Improved in This Version
- Fallback to TLSv1 ciphers for certificate collection on legacy hosts.
- Added DEC error codes for improved diagnostics.
- 5-minute delay before problem events are pushed to cluster to ensure entity creation has completed before the problem has pushed.
- Improved support for 3rd gen UA cards.
- Added dt.security_context field.
- Fix for certificates missing common_name or alt_name.
Full version history
v1.10.0
New feature: Automatic Port Blocklisting
Background
When the extension is deployed locally (on a host with the OneAgent), the extension uses data collected by the OneAgent to collect a list of processes that have listening ports bound to them. Using this information, the extension attempts to establish a connection on that port and load any certificates that are present. Many of these detected port bindings do not have certificates bound to them and, as a result, no certificate is returned. In previous versions of the extension these ports would be checked for a certificate at each monitoring interval if no manual exclusion filters were set.
What's Changed
This version introduces automatic port blocklisting. When the extension fails to extract a certificate from a port, the port is automatically added to a persistent cache and removed from future certificate scans. This cache is specific to each monitoring configuration and is retained across extension restarts and configuration updates.
Impact
Some processes do not react well to unexpected TLS connections. Port blocklisting ensures that these ports are not continuously queried for certificates, reducing unnecessary network activity and potential side effects.
New and improved in this version
- Automatic blocking of port bindings discovered via the OneAgent that do not return a certificate.
- Add property for TLS version used during certificate collection
- Improved handling of configuration loading and validation.
- More robust and readable code for filtering, event creation, and port discovery.
- Improved summary charts on certificate manager screens
- Greatly expanded testing
- Improvement to certificate source determination. We are now tracking PortBinding PID. If a binding has a PID, it is a local certificate.
- Improved support for certificates without a subject common name. In these cases, the first available subject alternative name will be used as the primary identifier of the certificate.
- Added 3rd gen UA screen support
- Pre-check prevents preliminary WCS code from running on non-Windows systems
- Refinements to logging.
INFOlogging will now contain all required information for most use cases.DEBUGlogging should now only be needed during advanced troubleshooting. - Update Active Port discovery with latest PortBinding and additional command to collect process name
- Add
device.addressdimension
Full version history
v1.9.3
Improved Handling of Windows Certificate Stores
Background
The Windows Certificate Store is composed of multiple "sub-stores," such as CurrentUser:Root, LocalMachine:Root, and others. It's common for identical certificates to exist in multiple sub-stores simultaneously.
What Changed
This release introduces a fix that correctly identifies and distinguishes each instance of a certificate based on the specific sub-store it resides in. As a result:
- Each certificate copy is now treated as a unique entity, even if the certificate content is identical.
- The certificate store location is now explicitly tracked, allowing for more accurate monitoring and management.
Impact
- Users may observe an increase in the number of monitored certificates, as duplicates across sub-stores are now individually recognized. This will not affect license consumption as the amount of data ingested is unchanged.
- Previously, certificate properties could oscillate depending on which instance was processed first, leading to inconsistencies in problem detection and entity matching.
- With this fix, each certificate is uniquely identified, ensuring consistent behavior and accurate problem association.
Why This Matters
This change aligns with real-world use cases. When a certificate expires and is replaced, it must be updated in location where it exists. By treating each instance separately, the system now mirrors this operational reality, improving reliability and clarity for administrators.
🐞 Fixed in this version
- Certificates detected via the Windows Certificate Store will now correctly identify which sub-store they are stored in. This will resolve issues with problems related to these certificates that opened and closed unexpectedly.
- Fixed references to the alerting level that will be raised as a certificate approaches expiration.
✨ New in this version
- Ability to set certificate check timeout
- Use ThreadPoolExecutor context manager
- Add option to alert on domain and OneAgent connection errors. These options are useful for testing and diagnosing issues.
Full version history
v1.8.47
- Fixed an issue with alerts not being generated on expired certificates that are being monitored as part of a monitoring configuration with commas (",") in the description name.
Full version history
v1.8.45
- Fix for loading of configuration object on remote deployments.
Full version history
- Check metric line length before posting and trim data as necessary to fit within limit
- Ability to filter Windows Certificate Store by terms in common name
- Fix for UnicodeDecodeError when loading malformed process snapshots
- Fix an issue when decoding invalid bytes
Full version history
Version 1.8.13
- Fix an issue decoding certificates with invalid characters
Full version history
v1.8.12
- Added verbose debug logging
- Enhanced logging to aid in supporting a wider variety of certificate types
- Fix to "Extension settings" button on unified analysis screens
Full version history
v1.8.0
- ✨ Raised limit on dashboard tiles to display more certificates.
- ✨ Added an option to suppress alerts for certificates that have expired more than x days ago.
- ✨ Added an option to suppress all alert creation for certificates
- ✨ Added the certificate serial number as a certificate property
- 🐛 Improved handling for monitoring configuration names that contain punctuation.
- 🐛 The extension will now automatically renew events before before the mandatory 6 hour problem timeout is reached. This is to fix an issue where some problems would regularly close and reopen.
Full version history
v1.7.80
- 🐛 Fixed a bug where only having one certificate in the Windows Certificate Store would cause the extension to throw an error.
- 🐛 Improved handling of non-UTF-8 characters in Windows Certificate Store certificates.
- 🐛 Fixed an issue where certificate properties with certain special characters would prevent the certificate data from being ingested
- 🐛 Fixed an issue where some problems would fail to be created when the extension was deployed remotely
- ✏️ Fixed a typo in the monitoring configuration screen.
Full version history
v1.7.50
- ✨ Added option to include or exclude specific processes by name using the new "Filter processes by process name" feature.
- ✨ Added option to "Scan Windows Certificate Stores" (Windows Hosts only). The extension will scan the Windows Certificate store for certificates.
- ✨ Expanded the list of available process types available to the "Filter processes by technology type" feature.
- 🐛 Improved handling of process snapshots
- 🐛 Fixed crash if Active Port Monitoring (Windows Only) is enabled on a Linux host.
- 🐛 Removed forced recheck if there was a detected change in the port bindings. Previously, the extension would force a recheck if port bindings change. Port checks will now strictly follow the configured schedule. Changes to certificates will not be detected until the next check interval.
Full version history
v1.6.0
This version is a combined bug fix and feature update. Changes include:
- ✨ Technology filter can now be set to only include the selected technologies or exclude the selected technologies from monitoring
- ✨ Certificate list view can now be filtered
- ✨ Related certificates now injected on Host page
- 🐛 Additional checks to limit long metric length
- 🐛 Suppression for duplicate metric lines
- 💄 Change dates to
YYYY-MM-DDformat to make them sortable - 🏷️ Improved type checking
Full version history
NOTE: This version requires that monitoring configurations be recreated. We apologize for this inconvenience but it is required to take advantage of new features. This extension is evolving rapidly and seeking to cover a wider array of use cases. As such, it may see other breaking changes before the end of the year.
v1.3.2
- Breaking change on upgrades for <v1.3. This requires the recreation of monitoring configurations.
- ✨ [WINDOWS ONLY] Add support for Active port discovery on Windows. The extension will attempt to actively identify listening ports on a local host and check certificates on those ports. Note: this option will likely introduce many more port checks. It is recommended to use this in conjunction with port range filters.
- 🐛 Fixes premature problem closure
- 🧵 Improved handling of multi-threaded port checking. Eliminates long running threads.
- 🐛 Fixes scenario where check interval timer was being ignored
- 🐛 Fixes issue where domain based checks list grows unexpectedly
- ♻️ Refactor code to improve consistency across port info sources (Remote domains, OneAgent, Active port discovery)
Full version history
- ✨ Domain checks can now supply a port to be checked via the
domain.com:9999syntax. Previously, all domains were checked on port 443 - 🐛 Improved parsing of domains when using the domain check feature
- 🐛 Fix for multiple instance of domains checks being added
- 💄 Improvements to Unified Analysis screens
- 🥅 Improved error handling when detecting alt_names
- 📝 Documentation updates