π Certificate Monitoring
SecTrail CM monitors your certificates 24/7 continuously and prevents service interruptions by detecting issues in advance.
An expired certificate can cause critical services to crash, resulting in revenue loss and reputation damage. With proactive monitoring, you can detect and prevent issues in advance.
Overviewβ
SecTrail CM's certificate monitoring system continuously checks the health of your certificates and creates automatic alarms for critical situations.
Key Featuresβ
- β° 24/7 Monitoring - Continuous automatic certificate status checks
- π Proactive Detection - Early warning before problems occur
- π Centralized Dashboard - View all certificate statuses from a single screen
- π¨ Smart Alarms - Customizable thresholds and notifications
- π Trend Analysis - Certificate lifecycle and usage statistics
Monitoring Metricsβ
SecTrail CM collects and analyzes comprehensive metrics for your certificates:
π Expiration Monitoringβ
Track certificate expiration dates to ensure timely renewal:
- Expiration Date - Certificate expiration date
- Days Until Expiration - Number of days until expiration
- Expiration Status - Valid, Expiring Soon, Expired
- Renewal Window - Recommended renewal time
- 90+ days: Start planning
- 30-90 days: Initiate renewal process
- 7-30 days: Urgent renewal required
- 0-7 days: Critical situation!
π Certificate Validityβ
Validate technical validity of certificates:
- Signature Verification - Signature accuracy check
- Key Usage - Key usage purpose compliance
- Extended Key Usage - Extended key usage check
- Basic Constraints - Basic constraints validation
π Chain Validationβ
Verify certificate chain integrity:
- Chain Integrity - Existence of all intermediate certificates
- Root CA Trust - Whether root CA is trusted
- Chain Order - Correctness of chain ordering
- Cross-Signing - Cross-signing status
π‘οΈ Security Scoringβ
Evaluate certificate security levels:
| Criterion | Evaluation |
|---|---|
| Key Size | 2048+ bit RSA or 256+ bit ECC recommended |
| Signature Algorithm | SHA-256 or stronger recommended |
| TLS Version | TLS 1.2+ recommended, TLS 1.0/1.1 insecure |
| Cipher Suites | Use of strong cipher suites |
| Security Score | Overall security score from A+ to F |
- MD5 or SHA-1 signed certificates are now considered insecure
- 1024 bit RSA keys are insufficient
- SSL 3.0, TLS 1.0, and TLS 1.1 protocols should no longer be used
Alarm Mechanismβ
SecTrail CM continuously monitors certificate statuses and creates automatic alarms for critical situations.
Alarm Typesβ
SecTrail CM creates different alarm levels for different situations:
| Alarm Level | Status | Example |
|---|---|---|
| π΄ Critical | Immediate action required | Certificate expired or will expire within 7 days |
| π Warning | Attention required | Certificate will expire within 7-30 days |
| π‘ Info | Information | Certificate will expire within 30-90 days |
| π’ OK | No issues | Certificate is valid and healthy |
Alarm Triggersβ
The following situations create alarms:
- β° Expiration Approaching - Based on defined threshold values
- π Security Issue - Weak algorithm or key size
Notification Channelsβ
You can use multiple notification channels simultaneously for certificates that have entered alarm status.
SecTrail CM supports the following notification channels:
π§ Email Notificationsβ
The most commonly used notification method:
- Automatic email delivery to relevant teams or users
- Direct action links
- Group or individual notifications
- Customizable email templates
π± SNMP Trapβ
For enterprise monitoring systems:
- Integration with centralized monitoring systems
- SNMPv2c and SNMPv3 support
- Customizable trap messages
Ownership Managementβ
You can use a flexible ownership model to ensure alarms reach the right people and teams.
SecTrail CM offers a two-level ownership model:
π₯οΈ Server-based Ownershipβ
Responsibility assignment at the server level:
Advantages:
- All certificates on a single server are routed to the same team
- Organization based on infrastructure responsibility
- Easy bulk management
π Certificate-based Ownershipβ
Define custom ownership for each certificate:
Advantages:
- Granular control and responsibility
- Domain-based organization
- Custom application ownership
Ownership Priorityβ
Priority order in case of ownership conflict:
- Certificate-based Ownership
- Server-based Ownership
- Default Ownership
For critical certificates, you can provide dual-layer notifications by defining both certificate-based and server-based ownership.
Reporting and Analysisβ
Monitoring Reportsβ
SecTrail CM generates regular monitoring reports:
- π Daily Status Report - Daily certificate status summary
- π Weekly Trend Analysis - Weekly changes and trends
- π Monthly Compliance Report - Compliance and security status
- π Custom Reports - Customized reports based on needs
Dashboard and Visualizationβ
- Real-time Dashboard - Instant certificate status
- Expiration Timeline - Expiration calendar view
- Alarm History - Historical alarms and interventions
Get Startedβ
- π User Guide: Monitoring - CA integration and configuration steps