Content Previous Next

PRTG Manual: SSL Certificate Sensor

<%NUMBERING1%>.<%NUMBERING2%>.<%NUMBERING3%> PRTG Manual: SSL Certificate Sensor

The SSL Certificate sensor monitors the certificate of a Secure Sockets Layer (SSL)/Transport Layer Security (TLS) secured connection.

The sensor also shows the certificate common name and the certificate thumbprint in the sensor message.

SSL Certificate Sensor

For a detailed list and descriptions of the channels that this sensor can show, see section Channel List.

Sensor in Other Languages

Dutch: SSL Certificaat
French: SSL certificat
German: SSL-Zertifikat
Japanese: SSL 証明書
Portuguese: Certificado SSL
Russian: Сертификат SSL
Simplified Chinese: SSL 证书
Spanish: Certificado SSL

Remarks

Enter the Domain Name System (DNS) name in the settings of the parent device exactly as it is written in your certificate. You can also use wildcards.

To check the revocation status of a certificate, the sensor uses WinHTTP to auto-detect the proxy server to use. You can also manually define a server. If you do not define a proxy server, PRTG uses the default WinHTTP proxy settings. For more information, see the Knowledge Base: How can I configure the WinHTTP proxy settings for the SSL Certificate sensor?
This sensor has predefined limits for several metrics. You can individually change these limits in the channel settings. For detailed information about channel limits, see section Channel Settings.
This sensor supports the IPv6 protocol.

This sensor has a very low performance impact.

This sensor uses lookups to determine the status values of one or more channels. This means that possible states are defined in a lookup file. You can change the behavior of a channel by editing the lookup file that the channel uses. For details, see section Define Lookups.

This sensor supersedes the deprecated HTTP Certificate Expiry sensor.

Add Sensor

The Add Sensor dialog appears when you manually add a new sensor to a device. It only shows the settings that are required to create the sensor. You can change nearly all settings on the sensor's Settings tab after creation.

Basic Sensor Settings

Click the Settings tab of a sensor to change its settings.

Basic Sensor Settings

Setting	Description
Sensor Name	Enter a name to identify the sensor.
Parent Tags	Shows tags that the sensor inherits from its parent device, parent group, and parent probe. This setting is for your information only. You cannot change it.
Tags	Enter one or more tags. Confirm each tag with the Spacebar key, a comma, or the Enter key. You can use tags to group objects and use tag-filtered views later on. Tags are not case-sensitive. Tags are automatically inherited. It is not possible to enter tags with a leading plus (+) or minus (-) sign, nor tags with parentheses (()) or angle brackets (<>). For performance reasons, it can take some minutes until you can filter for new tags that you added. The sensor has the following default tags that are automatically predefined in the sensor's settings when you add the sensor: sslcertificate ssl certificate
Priority	Select a priority for the sensor. This setting determines the position of the sensor in lists. The highest priority is at the top of a list. Choose from the lowest priority () to the highest priority ().
Timeout (Sec.)	Enter a timeout in seconds for the TCP read request. Enter an integer. The maximum timeout value is 300 seconds (5 minutes). If the reply takes longer than this value, the sensor cancels the request and shows a corresponding error message.

Usually, a sensor connects to the IP Address/DNS Name of the parent device. See the device settings for details. For some sensors, you can explicitly define the monitoring target in the sensor settings.

SSL Certificate Specific

Setting	Description
Port	Enter the number of the port to which this sensor connects. Enter an integer. The default port is 443.
Virtual Host (SNI Domain)	Define the host name that the sensor tries to query if your server has multiple certificates on the same IP address and port combination. Enter a string. In the case of virtual hosting, you must identify the specific certificate for a specific domain while all domains use the same IP address, you can use SNI, which is an extension of TLS. If you select a Certificate Name Validation option below, the sensor compares the common name and optionally alternative names with the SNI. Leave this field empty to validate the common name with the host address of the parent device.
Certificate Name Validation	Define if you want the sensor to validate the certificate name: Do not compare common name (CN) with device address or SNI (default): Do not check if the certificate name is valid by comparing it with the address of the parent device or the defined SNI. Compare and show down status if common name (CN) and address/SNI do not match: Check the common name to validate the certificate name. If you define an SNI above, the sensor compares the common name with the SNI. If you do not define an SNI, the sensor uses the host address of the parent device. If the common name and the checked address/SNI do not match, the sensor shows the Down status. Compare and show down status if common name (CN)/alternative names (SAN) and address/SNI do not match: Check the common name and the Subject Alternative Names (SAN) to validate the certificate. If you define an SNI domain above, the sensor compares the common name and alternative names with the SNI. If you do not define an SNI, the sensor uses the host address of the parent device. If the common name or alternative names and the checked address/SNI do not match, the sensor shows the Down status.

Setting

Description

Port

Enter the number of the port to which this sensor connects. Enter an integer. The default port is 443.

Virtual Host (SNI Domain)

Define the host name that the sensor tries to query if your server has multiple certificates on the same IP address and port combination. Enter a string.

In the case of virtual hosting, you must identify the specific certificate for a specific domain while all domains use the same IP address, you can use SNI, which is an extension of TLS.

If you select a Certificate Name Validation option below, the sensor compares the common name and optionally alternative names with the SNI. Leave this field empty to validate the common name with the host address of the parent device.

Certificate Name Validation

Define if you want the sensor to validate the certificate name:

Do not compare common name (CN) with device address or SNI (default): Do not check if the certificate name is valid by comparing it with the address of the parent device or the defined SNI.
Compare and show down status if common name (CN) and address/SNI do not match: Check the common name to validate the certificate name. If you define an SNI above, the sensor compares the common name with the SNI. If you do not define an SNI, the sensor uses the host address of the parent device. If the common name and the checked address/SNI do not match, the sensor shows the Down status.
Compare and show down status if common name (CN)/alternative names (SAN) and address/SNI do not match: Check the common name and the Subject Alternative Names (SAN) to validate the certificate. If you define an SNI domain above, the sensor compares the common name and alternative names with the SNI. If you do not define an SNI, the sensor uses the host address of the parent device. If the common name or alternative names and the checked address/SNI do not match, the sensor shows the Down status.

Connection Specific

Setting	Description
SOCKS Proxy (v5 only)	Define if the sensor uses a SOCKS proxy server for the sensor connection: Do not use SOCKS proxy (default): Directly connect to the target host without using a SOCKS proxy. Use SOCKS proxy: Connect using SOCKS5. Provide data for the SOCKS connection below. Other SOCKS versions are not supported. This sensor only supports SOCKS5 proxies. It does not support HTTP proxies.
Server	This setting is only visible if you select Use SOCKS proxy above. Enter the IP address or host name of the proxy server that the sensor uses for connection.
Port	This setting is only visible if you select Use SOCKS proxy above. Enter the port number of the proxy server that the sensor uses for connection.
User Name	This setting is only visible if you select Use SOCKS proxy above. If the proxy server requires authentication, enter a username.
Password	This setting is only visible if you select Use SOCKS proxy above. If the proxy server requires authentication, enter the password for the user you specified above.

Debug Options

Setting	Description
Result Handling	Define what PRTG does with the sensor result: Discard result: Do not store the sensor result. Store result: Store the last sensor result to the \Logs\sensors subfolder of the PRTG data directory on the probe system. The file names are Result of Sensor [ID].Data.txt, Result of Sensor [ID] (Certificate 0 in Certificate Chain).cer, Result of Sensor [ID] (Certificate 1 in Certificate Chain).cer, Result of Sensor [ID] (Certificate 2 in Certificate Chain).cer, Result of Sensor [ID] (Certificate Chain).txt, and Result of Sensor [ID] (Certificate).cer. This setting is for debugging purposes. PRTG overwrites these files with each scanning interval. This option is not available when the sensor runs on the hosted probe of a PRTG Hosted Monitor instance. In a cluster, PRTG stores the result in the PRTG data directory of the master node.

Setting

Description

Result Handling

Define what PRTG does with the sensor result:

Discard result: Do not store the sensor result.

Store result: Store the last sensor result to the \Logs\sensors subfolder of the PRTG data directory on the probe system. The file names are Result of Sensor [ID].Data.txt, Result of Sensor [ID] (Certificate 0 in Certificate Chain).cer, Result of Sensor [ID] (Certificate 1 in Certificate Chain).cer, Result of Sensor [ID] (Certificate 2 in Certificate Chain).cer, Result of Sensor [ID] (Certificate Chain).txt, and Result of Sensor [ID] (Certificate).cer. This setting is for debugging purposes. PRTG overwrites these files with each scanning interval.

This option is not available when the sensor runs on the hosted probe of a PRTG Hosted Monitor instance.

In a cluster, PRTG stores the result in the PRTG data directory of the master node.

You can use the debug option to get a logfile with information about the certificate chain. Additionally, certificates in the certificate chain are stored in the log folder (.cer files). This can help you, for example, if you have issues with the Root Authority Trusted channel of this sensor.

Sensor Display

Setting	Description
Primary Channel	Select a channel from the list to define it as the primary channel. In the device tree, the last value of the primary channel is always displayed below the sensor's name. The available options depend on what channels are available for this sensor. You can set a different primary channel later by clicking below a channel gauge on the sensor's Overview tab.
Graph Type	Define how different channels are shown for this sensor: Show channels independently (default): Show a graph for each channel. Stack channels on top of each other: Stack channels on top of each other to create a multi-channel graph. This generates a graph that visualizes the different components of your total traffic. You cannot use this option in combination with manual Vertical Axis Scaling (available in the channel settings).
Stack Unit	This setting is only visible if you enable Stack channels on top of each other as Graph Type. Select a unit from the list. All channels with this unit are stacked on top of each other. By default, you cannot exclude single channels from stacking if they use the selected unit. However, there is an advanced procedure to do so.

Setting

Description

Primary Channel

Select a channel from the list to define it as the primary channel. In the device tree, the last value of the primary channel is always displayed below the sensor's name. The available options depend on what channels are available for this sensor.

You can set a different primary channel later by clicking below a channel gauge on the sensor's Overview tab.

Graph Type

Define how different channels are shown for this sensor:

Show channels independently (default): Show a graph for each channel.
Stack channels on top of each other: Stack channels on top of each other to create a multi-channel graph. This generates a graph that visualizes the different components of your total traffic.
You cannot use this option in combination with manual Vertical Axis Scaling (available in the channel settings).

Stack Unit

This setting is only visible if you enable Stack channels on top of each other as Graph Type. Select a unit from the list. All channels with this unit are stacked on top of each other. By default, you cannot exclude single channels from stacking if they use the selected unit. However, there is an advanced procedure to do so.

Inherited Settings

By default, all of these settings are inherited from objects that are higher in the hierarchy. We recommend that you change them centrally in the root group settings if necessary. To change a setting for this object only, click under the corresponding setting name to disable the inheritance and to display its options.

For more information, see section Inheritance of Settings.

Scanning Interval

For more information, see section Root Group Settings, section Scanning Interval.

Schedules, Dependencies, and Maintenance Window

You cannot interrupt the inheritance for schedules, dependencies, and maintenance windows. The corresponding settings from the parent objects are always active. However, you can define additional schedules, dependencies, and maintenance windows. They are active at the same time as the parent objects' settings.

Schedules, Dependencies, and Maintenance Window

For more information, see section Root Group Settings, section Schedules, Dependencies, and Maintenance Window.

Access Rights

For more information, see section Root Group Settings, section Access Rights.

Using Wildcards

You can use wildcards in the IP Address/DNS Name in the device settings. Wildcards that apply to only one level of the domain name are supported.

Example	Result
*.wildcard.com for www.wildcard.com	Works
api.wildcard.com for api.wildcard.com	Works
contoso.com for contoso.com	Works
*.subapi.subapi2.wildcard.com for de.subapi.subapi2.wildcard.com	Works
. .wildcard.com for www.de.wildcard.com	Not supported
*.wildcard.com for de.subapi.wildcard.com	Doesn't work
www.contoso.com for contoso.com	Doesn't work
subapi.*.wildcard.com for subapi.dns.wildcard.com	Doesn't work

Channel List

Which channels the sensor actually shows might depend on the target device, the available components, and the sensor setup.

Channel	Description
Common Name Check	If the common name or subject-alternative names match the host address or Server Name Indication (SNI) (if certificate name validation is enabled) Up status: CN/SAN Match, Disabled, Matches Device Address, Matches SNI Down status: CN/SAN Do Not Match SNI, Does Not Match Device Address, Does Not Match SNI
Days to Expiration	The days to expiration with a predefined lower warning limit (28 days) and lower error limit (7 days) This channel is the primary channel by default.
Downtime	In the channel table on the Overview tab, this channel never shows any values. PRTG uses this channel in graphs and reports to show the amount of time in which the sensor was in the Down status in percent.
Public Key Length	The public key length Up status: RSA keys: For 2048-bit keys (good security) and longer (perfect security) Elliptic Curve Cryptography (ECC) keys: For 128-bit and 192-bit keys (good security) and longer (perfect security) Warning status: For weak security Down status: For shorter keys (unsecure) Unknown status: Unknown
Revoked	If the certificate has been revoked Up status: No Warning status: Unable To Check Revocation Status Down status: Yes
Root Authority Trusted	If the certificate is trusted as root authority Up status: Yes Warning status: No
Self-Signed	If a self-signed certificate is used Up status: Yes, No

Knowledge Base

How can I configure the WinHTTP proxy settings for the SSL Certificate sensor?

https://kb.paessler.com/en/topic/86280

What security features does PRTG include?

https://kb.paessler.com/en/topic/61108