How to create an SSL Monitoring Server

If you have SSL certificates on many servers across the network it can sometimes be difficult to manage expiration dates for all the certs. There is a UNIX utility called “ssl-cert-check” that can scan servers on any port and notify you if they are near expiration.
This how-to is based on Cygwin instead of a *nix distro. The steps should be the same, but there may be some differences.
1. Install Cygwin (skip to step 3 if you are running a Linux host)
2. Download from the Cygwin website and make sure OpenSSL, mail, cygrunsrv, cron and vim are installed.
3. Once Cygwin is installed you need to download the ssl-check software
  $ wget http://prefetch.net/code/ssl-cert-check
  $ chmod 775 ssl-cert-check
  $ mv ssl-cert-check /bin
4. Test that the tool is working
  $ cd /bin
  $ ssl-cert-check -s x.x.x.x -p 443
5. Once you know the tool is working you can start customizing it to fit your needs. I needed to scan a large group of servers on port 443 and email me if any of them were within 14 days of expiring.
6. I created a text file with the hosts that I needed to scan and the ports that certificates were bound to.
  $ vi ssl-servers

  www.server.com 443
  192.168.0.22 443
  example.com 443
8. Once you have the file you can use ssl-cert-check to scan using the file. Test to make sure the file is working.
$ ssl-cert-check -i -f ssl-servers
Host                                Issuer            Status   Expires     Days Left
----------------------------------- ----------------- -------- ----------- ---------
www.server.com:443                  Comodo Limited    Valid    May 23 2012 218
192.168.0.22:443                    Equifax Secure In Valid    Jun 20 2012 246
example.com:443                     Thawte Consulting Valid    Jun 7 2012  233
9. Now that I know that I can scan against a list of servers, I want to be notified by email.
10. I want to test to make sure that email is installed and that my host can send out an email properly.
$ cd /usr/bin
$ mail -f MYSERVER@domain.com -s Test -r MAILSERVER user.name@domain.com
11. In order for Cygwin to be able to automatically send emails you need to modify a few things. First create a symbolic link pointing to the proper mail binary.
$ ln -s /bin/mail /usr/lib/sendmail
12. Then you need to modify the mail config file. Make sure the proper SMTP server and port is uncommented. Then add a name and email to send FROM.
$ vi /etc/email/email.conf
############################################################
# SMTP Server and Port number you use
############################################################
 SMTP_SERVER = '192.168.0.50'
 SMTP_PORT = '25'

############################################################
# If you'd rather use sendmail binary, specify it and the
# command line switches to use, here.  If you have both
# this option and SMTP_SERVER set, SMTP_SERVER will be of
# higher priority than SENDMAIL.
############################################################
SENDMAIL_BIN = '/usr/lib/sendmail -t -i'

############################################################
# Your email address: If you'd like To have your name to
# show in the from field instead of just your email address,
# then keep the format below and edit it to your email
# and name.
############################################################
MY_NAME  = 'SSL Monitoring Tool'
MY_EMAIL = 'server@domain.com'
13. Once your email configuration is finished you can test the following command which will check against a list of servers and email to the email you specify if the cert is due to expire in 60 days.
$ ssl-cert-check -a -f ssl-servers -q -x 60 -e user@domain.com
14. Install cron as a service, first right-click the Cygwin icon on the desktop and select “Run as Administrator”
$ cron-config
$ yes|ntsec smbntsec|no|enter password
15. Once cron is installed you can modify the cron tasks by running crontab -e at the command prompt
NOTE: If it’s a Windows 2008 server, chances are you might have trouble installing the cron service. If this is the case you can run any Cygwin task from the built-in Windows Scheduler service. Just save your command as a batch file and schedule it. E.g.
C:\Cygwin\bin\bash -c "./ssl-cert-check -a -q -f /bin/ssl-servers -x 14 -e userk@domain.com"
Advertisements
How to create an SSL Monitoring Server

One thought on “How to create an SSL Monitoring Server

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s