2 Replies Latest reply on Jun 11, 2012 9:20 PM by Mark Shaw

    Cert Checking - Automated

    Mark Shaw Level 1



      Looking for thoughts on the best way of checking certificates on a monthly basis, especially looking for expired\soon to expire.


      I currently scan our external address space and run a report looking for QID 38174.  Bit clunky and I need to remember to run the report.


      Anything else, preferably free or currently in Qualys tool kit?





        • Re: Cert Checking - Automated
          Mike Pomraning Level 1



          Either QualysGuard's Scheduled Reports feature or the programmatic flexibility of the API can solve this problem.


          (SSL Labs can help, too, but that service is interactive and one-at-a-time, which is not what you're looking for.)

          Scheduled Reports


          To see how this would work I logged in to my QualysGuard VM subscription and navigated to "Reports" and then the "Search Lists" tab.  I defined a new Static List for relevant SSL/TLS certificate QIDs:  38167 – 38174.  (These cover expired, expiring, nonsensical start dates, self-signed, etc.)


          Then under the "Templates" tab I created a new Scan Template using my search list.  I also restricted the new template to HTTPS ports, since that's what I was excusively interested in.


          Finally, under the "Schedules" tab I configured a new Scan Report (Template Based) from this template.  I set my time zone, scheduled monthly recurrence, and requested email notification to myself.


          Note:  If you take this approach, be sure to schedule a scan to run before the report, so that your new report has fresh data to work from each time it runs.



          QualysGuard API


          Alternatively, if you have the development resources for a modest custom script, the asset/host/vm/detection QualysGuard 2.0 API call can provide you with the information you need.


          You could either request the same QIDs as above or, if you're comfortable parsing XML and text, take a handy shortcut and simply search for QID 86002 ("SSL Certificate - Information").  The "RESULTS" section of this IG contains a parseable text dump of the detected SSL/TLS certificate chain.  The Valid From and Valid To lines contain the date information you're looking for.


          From there you just need something like cron (Unix), Task Scheduler (Windows) or a recurring entry in your ticketing system to run the script monthly.


          Good luck!