check-httpv2: Certificate validity by age (ignore validation against RootCA)

37 votes

The current check-httpv2 requires that the certificate be validated against a RootCA on the local server for certificate monitoring.
However, this makes absolutely no sense, especially when monitoring many customer systems, each with their own PKIs (and thus also custom RootCAs).

We would like to check the certificate age, but WITHOUT validating it against a RootCA. I don’t want to have to import all customer Root CA certificates into my CheckMK server just to check the validity period. As things stand now, if I were to monitor an SSL certificate from a customer that was issued by their own PKI (i.e., not by a public RootCA), I would first have to import that RootCA into the CheckMK server—and that is exactly what I don't want to do.

For this, I still have to use the external “check_http” (from Nagios, because here I can explicitly check only the validity period) and cannot use the new “Check HTTP web service”, because it simply expects you to trust the RootCA. Here, I expect an option to “check certificate validity period only”

Under consideration Checks&Agents Suggested by: Florian Upvoted: today Comments: 0

Comments: 0