Expiring SSL Certificates

bundle

#1

###Bundle details and download
https://www.extrahop.com/bundles/gumby/expiring-ssl-certificates/

###Description
This bundle shows you how to both monitor the expiry dates for SSL certificates and to set up reporting and alerts for those events.


Trigger for Certificate Expiration
#2

Made a small edit to trigger which shows expiring and calls out expired certs still in use. Simple edit to an ‘if, else if’ with multiple conditions.

Allowed for simple dashboard widgets to identifying expired and expiring while making reports to be generated easier for each.

This will create two additional metrics and additional cost is minimal at best.
Here are edits to original trigger

/* Detect soon-to-expire and expired SSL certificates
* Author: ExtraHop.com
* Event: SSL_OPEN
*/
 
( SSL.certificate === null ) && exit();       // exit if no SSL cert info

/* Adjust to catch CN's of interest. Note, needs to be RegEx */  
var subjectsOfInterest = /./i;

var subject = SSL.certificate.subject || exit();   // exit if no subject 
( subjectsOfInterest.test( subject ) ) || exit();        // exit if no match

var advanceDaysNotice = 90;     /* Adjust as needed, in days. */

var now = ( getTimestampMSec() / 1000 );     // seconds since Unix epoch

/* Inside window? */
if (( ( now + advanceDaysNotice * 24 * 60 * 60 ) >= SSL.certificate.notAfter ) && ( now <= SSL.certificate.notAfter)) { 
    // yes, log a stat 
    // debug("adding metric");
    var d = new Date(SSL.certificate.notAfter * 1000);
    var curr_date = d.getDate();
    var curr_month = d.getMonth() + 1; //Months are zero based
    var curr_year = d.getFullYear();
    
Network.metricAddCount('expiring_ssl_open', 1); 
Network.metricAddDetailCount('expiring_ssl_open_detail', "Expires: " + curr_year + "/" + curr_month + "/" + curr_date + " ; " + " Certificate: " + subject, 1); 

//  debug("Cert: " + subject + "\nExpires in " + ~~( (SSL.certificate.notAfter - now)/86400 ) + " days");
}
    else if ( SSL.certificate.notAfter < now ) { 
        // yes, log a stat 
        // debug("adding metric");
        var d = new Date(SSL.certificate.notAfter * 1000);
        var curr_date = d.getDate();
        var curr_month = d.getMonth() + 1; //Months are zero based
        var curr_year = d.getFullYear();
    
        Network.metricAddCount('expired_ssl_open', 1); 
        Network.metricAddDetailCount('expired_ssl_open_detail', "Expired: " + curr_year + "/" + curr_month + "/" + curr_date + " ; " + " Certificate: " + subject, 1); 

//      debug("Cert: " + subject + "\nExpired " + ~~( (SSL.certificate.notAfter - now)/86400 ) + " days");
}

#3

What are the name of the 2 new metrics?