Skip to main content

 

Splunk Lantern

SSL certificates nearing expiration

You might want to monitor and alert when an SSL certificate on a critical URL is about to expire or has just expired when doing the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example

SSL certificates that are allowed to expire can often lead to outages or, at a minimum, a poor user experience while browsing the site. 

To optimize the search shown below, you should specify an index and a time range. 

  1. Verify that you installed the SSL Certificate Lookup Add-on. For more information, see About installing Splunk add-ons.
  2. Run the following search: 
    | makeresults 
    | eval dest="<domain to check>" 
    | lookup sslcert_lookup dest
    | eval seconds_till_expiry = ssl_end_time - now(), duration_till_expiry = tostring(seconds_till_expiry, "duration")
    | table dest seconds_till_expiry duration_till_expiry ssl_is_valid ssl_issuer_common_name
    

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
| makeresults  | eval dest="<domain to check>"  Generate a single record for the site/domain associated with the SSL certificate to check. 
| lookup sslcert_lookup dest Invoke the external lookup that checks the details of the SSL certificate for the domain, including its expiration date.
| eval seconds_till_expiry = ssl_end_time - now(), duration_till_expiry = tostring(seconds_till_expiry, "duration") Calculate the number of seconds before the SSL certificate is set to expire.
| table dest seconds_till_expiry duration_till_expiry ssl_is_valid ssl_issuer_common_name Display the results in a table with columns in the order shown.

Result

The SPL in this procedure uses makeresults and eval commands to specify the domain to check; however, other more scalable options are also viable. For instance you could:

  • Create a lookup with a list of domains to periodically check and begin the SPL with | inputlookup <your_domain_lookup_file>
  • Use raw results from a Splunk search, such as the data coming from the Website Monitor app to identify the domains to check

To alert when an SSL certificate is nearing or past expiration, you can use the SPL in this procedure to configure a Core Splunk alert. You can filter the results based on the number of seconds before the SSL certificate is expiring. For instance, adding | where seconds_till_expiry < (60*60*24) will alert when an SSL certificate is set to expire within the next 24 hours. 

  • Was this article helpful?