To check the revocation status of a certificate, the sensor uses WinHTTP to auto-detect the proxy server to use. You can also manually define a server. If you do not define a proxy server, PRTG uses the default WinHTTP proxy settings. For more information, see the Knowledge Base: How can I configure the WinHTTP proxy settings for the SSL Certificate sensor?
Limits
This sensor has predefined limits for several metrics.
IPv6
This sensor supports IPv6.
Performance impact
This sensor has a very low performance impact.
Lookups
This sensor uses lookups to determine the status values of one or more channels.
Basic Sensor Settings
Basic Sensor Settings
The sensor has the following default tags that are automatically predefined in the sensor's settings when you add the sensor:
certificate
ssl
sslcertificate
For more information about basic sensor settings, see section Sensor Settings.
SSL Certificate Specific
SSL Certificate Specific
Setting
Description
Port
Enter the number of the port to which this sensor connects. Enter an integer. The default port is 443.
Virtual Host (SNI Domain)
Define the host name that the sensor tries to query if your server has multiple certificates on the same IP address and port combination. Enter a string.
In the case of virtual hosting, you must identify the specific certificate for a specific domain while all domains use the same IP address, you can use SNI, which is an extension of TLS.
If you select a Certificate Name Validation option below, the sensor compares the common name and optionally alternative names with the SNI. Leave this field empty to validate the common name with the host address of the parent device.
Certificate Name Validation
Define if you want the sensor to validate the certificate name:
Do not compare common name (CN) with device address or SNI (default): Do not check if the certificate name is valid by comparing it with the address of the parent device or the defined SNI.
Compare and show down status if common name (CN) and address/SNI do not match: Check the common name to validate the certificate name. If you define an SNI above, the sensor compares the common name with the SNI. If you do not define an SNI, the sensor uses the host address of the parent device. If the common name and the checked address/SNI do not match, the sensor shows the Downstatus.
Compare and show down status if common name (CN)/alternative names (SAN) and address/SNI do not match: Check the common name and the Subject Alternative Names (SAN) to validate the certificate. If you define an SNI domain above, the sensor compares the common name and alternative names with the SNI. If you do not define an SNI, the sensor uses the host address of the parent device. If the common name or alternative names and the checked address/SNI do not match, the sensor shows the Down status.
Connection Specific
Connection Specific
Setting
Description
Use SOCKS Proxy (v5 only)
Define if the sensor uses a SOCKS proxy server for the sensor connection:
Do not use SOCKS proxy(default): Directly connect to the target host without using a SOCKS proxy.
Use SOCKS proxy: Connect using SOCKS5. Provide data for the SOCKS connection below. Other SOCKS versions are not supported.
This sensor only supports SOCKS5 proxies. It does not support HTTP proxies.
Server
This setting is only visible if you select Use SOCKS proxy above.
Enter the IP address or host name of the proxy server that the sensor uses for connection.
Port
This setting is only visible if you select Use SOCKS proxy above.
Enter the port number of the proxy server that the sensor uses for connection.
User Name
This setting is only visible if you select Use SOCKS proxy above.
If the proxy server requires authentication, enter a user name.
Password
This setting is only visible if you select Use SOCKS proxy above.
If the proxy server requires authentication, enter the password for the user you specified above.
Debug Options
Debug Options
Setting
Description
Result Handling
Define what PRTG does with the sensor result:
Discard result (default): Do not store the sensor result.
Store result: Store the sensor result and the last response to the \Logs\sensors subfolder of the PRTG data directory on the probe system. The file names are Result of Sensor [ID].Data.txt, Result of Sensor [ID] (Certificate 0 in Certificate Chain).cer, Result of Sensor [ID] (Certificate 1 in Certificate Chain).cer, Result of Sensor [ID] (Certificate 2 in Certificate Chain).cer, Result of Sensor [ID] (Certificate Chain).txt, and Result of Sensor [ID] (Certificate).cer. This setting is for debugging purposes. PRTG overwrites these files with each scanning interval.
This option is not available when the sensor runs on the hosted probe of a PRTG Hosted Monitor instance.
In a cluster, PRTG stores the result in the PRTG data directory of the master node.
You can use the debug option to get a log file with information about the certificate chain. Additionally, certificates in the certificate chain are stored in the log folder (.cer files). This can help you, for example, if you have issues with the Root Authority Trusted channel of this sensor.
Sensor Display
Sensor Display
Setting
Description
Primary Channel
Select a channel from the list to define it as the primary channel. In the device tree, PRTG displays the last value of the primary channel below the sensor's name. The available options depend on what channels are available for this sensor.
You can set a different primary channel later by clicking below a channel gauge on the sensor's Overview tab.
Graph Type
Define how this sensor shows different channels:
Show channels independently (default): Show a graph for each channel.
Stack channels on top of each other: Stack channels on top of each other to create a multi-channel graph. This generates a graph that visualizes the different components of your total traffic. You cannot use this option in combination with manual Vertical Axis Scaling (available in the channel settings).
Stack Unit
This setting is only visible if you select Stack channels on top of each other above.
Select a unit from the list. PRTG stacks all channels with this unit on top of each other. By default, you cannot exclude single channels from stacking if they use the selected unit. However, there is an advanced procedure to do so.
Inherited Settings
By default, all of these settings are inherited from objects that are higher in the hierarchy. We recommend that you change them centrally in the root group settings if necessary. To change a setting for this object only, click under the corresponding setting name to disable the inheritance and to display its options.
You can use wildcards in the IP Address/DNS Name in the device settings. Wildcards that apply to only one level of the domain name are supported.
Example
Result
*.wildcard.com for www.wildcard.com
Works
api.wildcard.com for api.wildcard.com
Works
contoso.com for contoso.com
Works
*.subapi.subapi2.wildcard.com for de.subapi.subapi2.wildcard.com
Works
*. *.wildcard.com for www.de.wildcard.com
Not supported
*.wildcard.com for de.subapi.wildcard.com
Doesn't work
www.contoso.com for contoso.com
Doesn't work
subapi.*.wildcard.com for subapi.dns.wildcard.com
Doesn't work
Channel List
Which channels the sensor actually shows might depend on the target device, the available components, and the sensor setup.
Channel
Description
Common Name Check
If the common name or subject-alternative names match the host address or SNI (if you select a Certificate Name Validation option)
Up status: CN/SAN Match, Disabled, Matches Device Address, Matches SNI
Down status: CN/SAN Do Not Match SNI, Does Not Match Device Address, Does Not Match SNI
Days to Expiration
The days to expiration with a predefined lower warning limit (28 days) and lower error limit (7 days)
This channel is the primary channel by default.
This channel has default limits:
Lower error limit: 7
Lower warning limit: 28
Downtime
In the channel table on the Overview tab, this channel never shows any values. PRTG uses this channel in graphs and reports to show the amount of time in which the sensor was in the Down status.
Public Key Length
The public key length
Up status:
RSA keys: For 2048-bit keys (good security) and longer (perfect security)
ECC keys: For 128-bit and 192-bit keys (good security) and longer (perfect security)
Warning status: For weak security
Down status: For shorter keys (unsecure)
Unknown status: Unknown
Revoked
If the certificate has been revoked
Up status: No
Warning status: Unable To Check Revocation Status
Down status: Yes
Root Authority Trusted
If the certificate is trusted as root authority
Up status: Yes
Warning status: No
Self-Signed
If a self-signed certificate is used
Up status: No, Yes
More
KNOWLEDGE BASE
How can I configure the WinHTTP proxy settings for the SSL Certificate sensor?