Monitor SSL Certificates with Azure Monitor

This is simultaneously something I’ve been very excited to give you readers a post about and something that’s often asked about as a feature for Azure Monitor. We now have the ability to natively monitor SSL certificates with Azure Monitor and Application Insights availability test. You may remember my old post on Availability test, the team has added some new tests as part of the availability testing.

Create Standard Test

Now under the availability tab in Application Insights, you’ll see a new button called “Create Standard test” next to the classic ping test.

You can choose proactive lifetime check from your SSL Cert, from 1 day to 365 days.

In addition to being able to create a monitor for your SSL Certification, you can also create custom headers and success criteria.

Monitor SSL Certificate Azure Monitor

Alerts

You also have the option of having the test automatically create its own alert rule, which is neat. If you select that option you can quickly see the alert. By selecting the ellipses on your test. Monitor SSL Certificate Azure Monitor

This will open to Azure Monitor Alerts page.

Monitor SSL Certificate Azure Monitor

When you select it, you can see and adjust the criteria that it created for you.

 

Monitor SSL Certificate Azure Monitor

In my case it did not specify an Action Group, your mileage may vary. Definitely check it out to verify what, if anything, it put. An alert is useless if no one is notified when it fires. Especially for something as important as your SSL Certificate.

Monitor SSL Certificate Azure Monitor

When it fires it will appear along side all your other Azure Monitor alerts. Under the Azure Monitor alerts page, it is stateful as well. Meaning you won’t get 100’s of alerts as the test keeps failing. This alert has been failing for 3 days and you can see there is only one alert in the alerts view for it.

Monitor SSL Certificate Azure Monitor

 

Success Criteria and Logs

You may have noticed I created two tests. I did this for you dear reader, to test the scenarios. The SSL Certificate on the blog you are reading is handled by my host, so I actually don’t know how often they rotate it out for a new one. I created one test with an alert for 7 days and one for 365 days. SSL Test will alert if the cert is less than 7 days from expiry. While SSL Test 2 will alert if the Cert is less than 365 days from expiring.

Monitor SSL Certificate Azure Monitor

As you can see SSL Test is 100% good, while SSL Test 2 is reporting some sort of availability issue. Unfortunately at this time, you cannot see what specifically is the issue. IE is the website down? Or is my Cert about to expire. Or is some other success criteria that you specified, breached? If any part of your test “fails” it reports the whole test as failed and shows availability at 0%. I personally find this pretty confusing, for instance if I see 0% availability I take that to mean that my website is done. Not that my certificate will expire in 36 days, which should be a warning, since its not even expired yet. I have provided this feedback to the team, but please let me know if you think its confusing. You can reach me on twitter @scautomation or email billyyork at microsoft.com I would love to provide additional feedback to the team.

However, we can see this issue from the End to End transaction details, which has the specific message that the SSL Cert is beneath the threshold.

Monitor SSL Certificate Azure Monitor

You can also see them under the availabilityResults table in the logs.

Monitor SSL Certificate Azure Monitor

 

We can now monitor SSL certificates expiring with Azure Monitor. Try it out and let me know what you think. Reminder that this is in preview, and thus subject to change. You can see the official docs here.