SSL Certificate Monitoring
Proper SSL Certificate Monitoring.
We're talking more than just expiration dates.
SSL Certificate Expirations
We know, technically they're called X.509 Public Key Certificates, but the whole world calls them SSL certificates. We'll monitor your site's certificate expiration dates and send you a notification when they're about to expire.
But we don't just monitor your domain's certificate: we verify all your intermediate certificates, too. And if a certificate changes, you'll be presented with a clean before & after report, so you'll see if any of the covered domains have changed too.
OCSP, CT, CRL, HPKP, ... do any of those ring a bell? If not, trust us to monitor it for you. We check all your certificates - including your intermediates - to see if they've been revoked, either through Certificate Revocation Lists (CRL) or the Online Certificate Status Protocol (OCSP).
If you're using any public key pinning mechanism like HPKP, we'll verify that your certificates still match and will report best practice improvements when we detect you've pinned a leaf key over an intermediate.
Certificate Chain validation
A chain is only as strong as its weakest link, SSL Certificates are the prime example. We don't just monitor your domain's certificate but will check every intermediate certificate too, up to the root certificate, to verify the chain of trust.
We look for SHA-1 certificates, revoked intermediates, distrusted root certificates, ... each of those problems can cause your site to be unavailable. And none of those changes are in your control, these decisions get made by the Certificate Authorities (CAs) or the browsers themselves, coordinated via the CAB Forum.
Certificate Transparency Monitoring & Alerting
In the near future, all certificates issued need to be published to known Certificate Logs. As a result, every certificate issued becomes public knowledge.
We monitor those Certificate Transparency Logs and will alert you whenever a new certificate is issued for one of your domains. You can decide if it was on purpose by you or from a malicious actor and act accordingly.
$ cat ohdearapp.conf /* Enable TLS */ ssl on; ssl_certificate fullchain.pem; ssl_certificate_key privkey.pem; ssl_session_timeout 3m; ssl_session_cache shared:SSL:30m; /* Configure TLS, prefer strong ciphers */ ssl_protocols TLSv1.2; ssl_ciphers ECDHE-RSA-AES128..; ssl_prefer_server_ciphers on; /* Use a 4096 bitkey length for Diffie Hellman, prevent Logjam attack */ ssl_dhparam dhparam-4096bit.pem; /* OCSP server-side checks are enabled */ ssl_stapling on; ssl_stapling_verify on; resolver_timeout 60s; ssl_trusted_certificate fullchain.pem;
TLS cipher monitoring
Configuring HTTPS is great, but if you use weak encryption ciphers or don't support Perfect Forward Secrecy (PFS), your website is missing critical security features.
We will routinely scan your server(s) and report changes in TLS ciphers, alert when weak ciphers like RC4, MD5 or DES are used and if you're using insecure protocols like SSLv2 or SSLv3.
Additionally, we'll check your OCSP stapling and if your server sends a list of prefered ciphers, so downgrade attacks are prevented.
HTTPS isn't a very forgiving protocol: it takes a lot of configuration settings to get it right, but only a single mistake to knock your site offline. Let us monitor that for you.
There are plenty more features to convince you why Oh Dear! should monitor your sites.