To check the output, go to technologies and select SSL.

Press group details to see the charts for each end point.
There will be a custom device called SSLPlugin which gathers overall statistics such as total number of certificates, warnings and expired certs.

When certificates are due to expire or have expired, custom devices will be created identified by the domain name. An event will be generated each day with further information in the description.

• Expired certificates: availability
• Warning: resource contention

Please note that the error only stays opened for a few minutes.
The plugin doesn’t just check the top-level expiration date but the whole chain too so if a certificate authority is due to expire, it will be highlighted.

The events will trigger alerts automatically.

Further information

The plugin persists the list of domains in a text file. If the file was to be corrupted for some reason, delete the file and it will re-populate it automatically.
On windows the file should be under:
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\pluginCache\cache.pkl

On Linux:
/tmp/pluginCache

As the maximum number of splits for metrics is currently only 100, increase the value via Dynatrace One to 1000.

The SSL handshake will try SSLv23 so if the version is too old it may fail.

The certificates will only be detected if there is traffic captured by Dynatrace as it requires purepath data.

Deployment

Request attributes

The hostname must be captured via a new request attribute (Settings/server side service monitoring/request attribute).

Create a new attribute called SSL Domain in
Request attribute source: HTTP request header
Specify where the attribute is captured and then stored: capture on the server side of a web request service
Parameter name: Host
Only use value if it does not contain -> localhost

Create a new attribute called SSL Domain out
Request attribute source: HTTP request header
Specify where the attribute is captured and then stored: capture on the client side of a web request service and store on calling service
Parameter name: Host
Only use value if it does not contain -> localhost

Calculated metrics

The calculated metrics will gather the data for all the services and create a split for each domain which has been detected.
The metric can only be added if the number of values is smaller than 1000 so a management zone, filter such as tag will be necessary.
The default limit is currently 100 so it might need to be increased to 1000 via Dynatrace One ( serviceMetricsMaxAffectedServiceLimit ).
To create the metric, go to Diagnostic tools, multi-dimensional analysis.

If there are too many values, create more tags to group the data in smaller units. The plugin will accept several metrics.

In the example below a management zone was used.

Create another metric (or group of metrics) for the second request attribute (out).

API Token

The calculated metrics are retrieved via the V2 metric API, therefore a dedicated token it required (V2 metric read).

Deploy the plugin code

The zip file containing the plugin code must be deployed to an activate gate with access to all the end points.
Unzip the file into:
Linux
/opt/dynatrace/remotepluginmodule/plugin_deployment
Windows
\program files\dynatrace\remotepluginmodule\plugin_deployment

Go to the Dynatrace user interface under settings, monitored technologies and click on custom extension.
Press the upload extension button and upload the zip file.

A new entry should appear under the custom extension tab.

Create a new endpoint. The name isn’t relevant so it could be the same as the tenant’s name for instance.

Under Dynatrace cluster address enter the full address as follow (no slash at the end of the URL):
Managed https://{your-domain}/e/{your-environment-id}

SaaS https://{your-environment-id}.live.dynatrace.com

Copy your API token in the third field.

Expiration delta is the number of days to trigger a warning alert before a certificate expires.

Domains to ignore can contain a comma separated list of domain names to ignore. They could be external end points such as googleAPI.com for instance

The field Metric names for inbound requests is a comma separated list of calculated metric IDs using the host inbound request attribute.

The field Metric names for outbound requests is a comma separated list of calculated metrics IDS using the host outbound request attribute.

Enter proxy details if required. This is for the connection from the active gate where the extension is deployed.

Select debug to add more information to the logs.

Under choose active gate pick an activate gate from the list where the zip file has been deployed.

Press update and check for any errors.
The plugin should activate within the next 2-3 minutes.