Windows Certificate Store

Supported OS Windows

Integration version1.0.0

Overview

This integration monitors the Local Machine certificates in the Windows Certificate Store to check whether any have expired.

Setup

Installation

The Windows Certificate Store integration is included in the Datadog Agent package but requires configuration (see instructions below). The Windows Certificate Store integration requires Agent versions 7.67.0 or later.

Configuration

Edit the windows_certificate.d/conf.yaml file, in the conf.d/ folder at the root of your Agent’s configuration directory. See the sample windows_certificate.d/conf.yaml for all available configuration options. When you are done editing the configuration file, restart the Agent to load the new configuration.

The integration can monitor the expiration of all certificates in a given store or selectively monitor specific certificates from a given list of strings matching with the certificate subjects. The store names that are available for monitoring are listed in HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates.

This example configuration monitors all certificates in the local machine’s ROOT store:

instances:
  - certificate_store: ROOT

This example configuration monitors certificates in ROOT that have microsoft or verisign in the subject:

instances:
  - certificate_store: ROOT
    certificate_subjects:
      - microsoft
      - verisign

The parameters days_warning and days_critical are used to specify the number of days before certificate expiration from which the service check windows_certificate.cert_expiration begins emitting WARNING/CRITICAL alerts. In the below example the service check emits a WARNING alert when a certificate is 10 days from expiring and CRITICAL when it is 5 days away from expiring:

instances:
  - certificate_store: ROOT
    certificate_subjects:
      - microsoft
      - verisign
    days_warning: 10
    days_critical: 5

Beginning with Agent v7.69.0, the integration can monitor the expiration of certificate revocation lists (CRL) in a given certificate store. When CRL monitoring is enabled, all CRLs in that store are monitored. To enable CRL monitoring, set enable_crl_monitoring: true in the integration.

This example configuration monitors Microsoft and Verisign certificates, and all CRLs in the local machine’s CA store:

instances:
  - certificate_store: CA
    certificate_subjects:
      - microsoft
      - verisign
    enable_crl_monitoring: true

Begnning with Agent v7.70, the integration can validate certificates and their certificate chains. To enable the certificate chain validation, set the following in the integration:

instances:    
  - certificate_store: CA
    cert_chain_validation:
      enabled: true
      policy_validation_flags:
        - CERT_CHAIN_POLICY_IGNORE_ALL_NOT_TIME_VALID_FLAGS
        - CERT_CHAIN_POLICY_IGNORE_ALL_REV_UNKNOWN_FLAGS
        - CERT_CHAIN_POLICY_ALLOW_UNKNOWN_CA_FLAG 

The policy_validation_flags suppress specific validation errors that may not be relevant for your use case. See the sample windows_certificate.d/conf.yaml for a list of all the flags available for use.

Tags

The integration automatically tags all metrics and service checks with the name of the store in the certificate_store:<STORE> tag. Certificate metrics and service checks are tagged with the certificate’s subjects, thumbprints and serial numbers. CRL metrics and service checks are tagged with the CRL’s issuer and thumbprint.

Validation

Run the Agent’s status subcommand and look for windows_certificate under the Checks section.

Data Collected

Metrics

windows_certificate.crl_days_remaining
(gauge)
Days until certificate revocation list (CRL) expiration
Shown as day
windows_certificate.days_remaining
(gauge)
Days until certificate expiration
Shown as day

Events

The windows_certificate integration does not include any events.

Service Checks

windows_certificate.cert_expiration

Returns CRITICAL if the certificate has expired or expires in less than days_critical, returns WARNING if the certificate expires in less than days_warning, otherwise returns OK.

Statuses: ok, critical, warning

windows_certificate.crl_expiration

Returns CRITICAL if the certificate revocation list (CRL) has expired. Returns WARNING if the CRL expires in less than crl_days_warning. Otherwise, returns OK.

Statuses: ok, critical, warning

windows_certificate.cert_chain_validation

Returns CRITICAL if the certificate chain validation fails. Otherwise, returns OK.

Statuses: ok, critical, warning

Troubleshooting

Need help? Contact Datadog support.