SSL Certificate Monitoring

Proper SSL Certificate Monitoring.

We're talking more than just expiration dates.

SSL Certificate Expirations

We know, technically they're called X.509 Public Key Certificates, but the whole world calls them SSL certificates. We'll monitor your site's certificate expiration dates and send you a notification when they're about to expire.

But we don't just monitor your domain's certificate: we verify all your intermediate certificates, too. And if a certificate changes, you'll be presented with a clean before & after report, so you'll see if any of the covered domains have changed too.

Acronym Bingo

OCSP, CT, CRL, HPKP, ... do any of those ring a bell? If not, trust us to monitor it for you. We check all your certificates - including your intermediates - to see if they've been revoked, either through Certificate Revocation Lists (CRL) or the Online Certificate Status Protocol (OCSP).

If you're using any public key pinning mechanism like HPKP, we'll verify that your certificates still match and will report best practice improvements when we detect you've pinned a leaf key over an intermediate.

Certificate Chain validation

A chain is only as strong as its weakest link, SSL Certificates are the prime example. We don't just monitor your domain's certificate but will check every intermediate certificate too, up to the root certificate, to verify the chain of trust.

We look for SHA-1 certificates, revoked intermediates, distrusted root certificates, ... each of those problems can cause your site to be unavailable. And none of those changes are in your control, these decisions get made by the Certificate Authorities (CAs) or the browsers themselves, coordinated via the CAB Forum.

Certificate Transparency Monitoring & Alerting

In the near future, all certificates issued need to be published to known Certificate Logs. As a result, every certificate issued becomes public knowledge.

We monitor those Certificate Transparency Logs and will alert you whenever a new certificate is issued for one of your domains. You can decide if it was on purpose by you or from a malicious actor and act accordingly.

$ cat ohdearapp.conf
    /* Enable TLS */
    ssl                         on;
    ssl_certificate             fullchain.pem;
    ssl_certificate_key         privkey.pem;

    ssl_session_timeout         3m;
    ssl_session_cache           shared:SSL:30m;

    /* Configure TLS, prefer strong ciphers */
    ssl_protocols               TLSv1.2;
    ssl_ciphers                 ECDHE-RSA-AES128..;
    ssl_prefer_server_ciphers   on;

    /* Use a 4096 bitkey length for Diffie Hellman,
    prevent Logjam attack */
    ssl_dhparam                 dhparam-4096bit.pem;

    /* OCSP server-side checks are enabled */
    ssl_stapling            on;
    ssl_stapling_verify     on;
    resolver_timeout        60s;
    ssl_trusted_certificate fullchain.pem;

TLS cipher monitoring

Configuring HTTPS is great, but if you use weak encryption ciphers or don't support Perfect Forward Secrecy (PFS), your website is missing critical security features.

We will routinely scan your server(s) and report changes in TLS ciphers, alert when weak ciphers like RC4, MD5 or DES are used and if you're using insecure protocols like SSLv2 or SSLv3.

Additionally, we'll check your OCSP stapling and if your server sends a list of prefered ciphers, so downgrade attacks are prevented.

HTTPS isn't a very forgiving protocol: it takes a lot of configuration settings to get it right, but only a single mistake to knock your site offline. Let us monitor that for you.

There are plenty more features to convince you why Oh Dear! should monitor your sites.