Trigger for Certificate Expiration



Does anyone have a trigger for identifying expired SSL certificates? I want to alert when a certificate is expired on a device.


Only debugged so far but this should be close…

    /* Trigger on SSL_OPEN events */

    /* Assign to SSL devices, then graph in custom network page and/or 
       alert on the custom stat as desired */ 

    if (SSL.certificate === null) { return; }

    /* Adjust this variable to only catch CN's of interest */
    var subjectsOfInterest = /(extrahop\.com|networktimeout\.com)/;

    var subject = SSL.certificate.subject;
    if (!subjectsOfInterest.test(subject)) { return; }

    /* Adjust this variable depending on how much notice is desired */
    var advanceDaysNotice = 90;
    /* Compute current Unix epoch time in seconds for comparison to cert expiration
    var now = getTimestampMSec() / 1000;
    /* Convert time to expire into days and log a stat if we're inside the window */
    if ((SSL.certificate.notAfter - now)/86400 <= advanceDaysNotice) {
       Network.metricAddCount('expiring_ssl_open', 1);
       Network.metricAddDetailCount('expiring_ssl_open_detail', SSL.certificate.subject, 1);
    debug("Cert: " + SSL.certificate.subject + "\nCert NA: " + SSL.certificate.notAfter + "\nNow: " + now + "\nExpires in " + ~~((SSL.certificate.notAfter - now)/86400) + " days");



I’m checking to see if you were able to get this working for you?

I have a similar need and need to send out a regular report of expiring certs.





There is a bundle at that you can tweak and apply to your environment to look for expired and expiring certs. Enjoy!


If you have feedback on the bundle, you can post it here: Expiring SSL Certificates

You’re also welcome to post your own bundles here: