Monitor SSL TLS Certificate Expiration

What is an SSL Certificate

Secure Socket Layer (SSL) and its successor, Transport Layer Security (TLS) are protocols designed to safeguard traffic over the internet. SSL certificates allow websites to move from HTTP to HTTPS, a more secure communication channel on a network. Starting this September, the lifespan of an SSL/TLS certificate will be limited to 398 days, a reduction from the previous maximum certificate lifetime of 825 days. With this change, everyone needs to more carefully monitor SSL certificate expiration and server characteristics.

Publicly trusted SSL/TLS certificates issued on and after September 01, 2020, with a validity of more than 398 days will be rejected by browser makers such as Apple, Microsoft, Google, Mozilla, and Opera. Cloud service providers will require that their certificates comply with this requirement else web browsers may not render their pages correctly or fail to load. As of today, the combined global market share for desktop browser usage for Chrome, Firefox, and Safari is more than 85%.

Source: StatCounter Global Stats – Browser Market Share

In a move that may seem arbitrary, the reduction of certificate lifespan offers end users a secure and authentic digital experience. Certificates that have a lifespan longer than 398 days can delay any major internet outage incident and upgrade to a secure technology stack. The last thing an enterprise would want is to see its Teams certificate get revoked and cause disruption at work because someone in IT forgot to renew the certificate license. Such an act would profoundly impact worker productivity and business revenue.

According to the Ponemon survey, the average global 5000 company spends about $15 million to recover from business loss due to a certificate outage and faces another $25 million due to non-compliance.

Additionally, hackers over time can exploit weaknesses in algorithms to forge or clone certificates and have end users reveal their sensitive confidential information on an impersonated website. One-year certificates lead to a more frequent generation of new key pairs and limit exposure to compromise.

Another challenge that derails the certification process is that several internal technical teams will create their version of monitoring tools without consulting or coordinating the requirements with the central IT function. These siloed teams make it difficult for even the best network administrators to account for all the critical certificates that need renewing. Such tools lack the sophistication to crawl the entire organization’s network and scan for all certificates needed to run IT efficiently and smoothly.

An automated modern system would catalog all the certificates found, load certificates into a queue in the order of expiry date, and conveniently replace them when necessary. Consider that DevOps might want to run a web application in a virtual mode within a hybrid cloud environment. The increasing complexity of the IT landscape means that enterprises would need to explore all types of certificates beyond just SSL/TLS – virtualization, containerization, encrypted emails, IOT certificates, software update license, SDN, and more.

Microsoft Teams Outage Due to Expired SSL Certificate

At the beginning of this year (if you were following us closely!), we wrote a blog on Microsoft Teams Outage that was caused due to an expired certificate. Teams was down for hours, leaving users around the world not able to login to their services. Microsoft admins forgot to renew their SSL certificate, something unusual for its company size.

Exoprise CloudReady Teams Audio Video sensors were able to detect this outage early and inform its customers well before Microsoft reported the problem.

The issue started at 8:50 am and quickly spread to multiple continents. Around 3 pm, Microsoft acknowledged that an expired authentication certificate was the cause of the outage and finally deploying the fix at 4:27 pm EST. Timely detection and renewal process of the expired certificate would have been less disruptive at a scheduled time, thus saving thousands of wasted employee work hours to an outage.

How to Monitor SSL Certificate Expiration

To combat the certificate expiry issue, Exoprise currently offers two out-of-the-box CloudReady sensors (SSLCheck and SSLMonitor) for monitoring SSL/TLS connections over the network. These sensors help protect an organization against X.509 certificate outages, spoofing, and misconfigured servers.

IT administrators looking to ensure seamless delivery of Microsoft Teams services to employees can regularly monitor the web server’s health, its ability to accept/respond to sessions on a secure channel and verify the certificate expiration date.

• The first sensor, SSLCheck, allows monitoring for up to 5 TLS servers (whether you own them or not) for performance, authentication, and X.509 certificate expiration. Admins can get proactive alerts in any ITSM of their choice when the SSL certificates are due to expire. SSLCheck collects data on the following:
  • Mean or average SSL Validation Time for all endpoints
  • Mean TCPIP Connect time for all endpoints
  • Nearest expiration for all endpoints
  • Endpoint SSL Get Time
  • Endpoint TCP/IP Connect time
  • Endpoint Expiration
• The second sensor, SSLMonitor, allows deep monitoring for up to 2 TLS servers for any certificate changes and spoofing. This sensor is suitable for heavy and mission-critical applications that rely on deep inspection of servers and certificate infrastructure. SSLMonitor collects data on the following:
  • Certificate Changes
  • Cipher/Server Changes
  • Man-in-the-Middle Detection

Exoprise CloudReady configuration setup wizard for the SSLCheck sensor is shown below. The process is easy to set up by anyone in the IT team and allows instant monitoring of SSL/TLS certificates after deploying the sensor. Use the alarm dashboard to view all incoming notifications and alert your teams to proactively manage certificate issues before your customers get to know you.

SSLCheck Introduction: Monitor up to 5 TLS Endpoints for expiration, validation and inspection

SSLCheck Sensor Setup: Monitor up to 5 TLS Endpoints, your server or ours

SSLCheck Sensor Setup Validation Step

SSLCheck Sensor Alarm Setup: Automatically sets up alarms and notifications

Monitor TLS/SSL endpoints behind the firewall or out in the cloud with CloudReady

SSLCheck Sensor In Action

SSLMonitor Showing Cipher/Certificate Change

SSL Certificate Expiry Monitoring and Notification Benefits

SSL/TSL certification monitoring by Exoprise offers the following benefits to businesses:

• Gain visibility through proactive monitoring, discovery, and alerting on SSL certificate expiration
• Reduce operational costs and errors by automating the job of managing certificates
• Improve website security and performance with SSL monitoring in real-time
• Increase service availability and customer confidence through institutionalized best practices
• Deliver great SaaS experience by tracking service disruption and preventing an outage
• Increase reliability with a single all-in-one platform for all technology certificate needs

Monitor SSL Certificate Expiration for Teams and Others with Exoprise

Checking and monitoring certificate expiration in today’s IT environment is complex and challenging. A successful upgrade strategy for SSL/TLS certificate expiry or validity is a must for enterprises. Microsoft announced several new features for Teams at the recent #MSIgnite 2020 virtual event.

Whether your company relies on Teams or any other SaaS cloud service from the Office 365 suite, you need a robust cloud monitoring strategy to ensure business continuity and team success.

CloudReady helps you focus on things that matter to your organization and does the critical heavy lifting monitoring of cloud applications and certificate health.

Learn more about CloudReady at www.exoprise.com