This integration monitors the Local Machine certificates in the Windows Certificate Store to check whether any have expired.
Setup
Installation
The Windows Certificate Store integration is included in the Datadog Agent package but requires configuration (see instructions below). The Windows Certificate Store integration requires Agent versions 7.67.0 or later.
The integration can monitor the expiration of all certificates in a given store or selectively monitor specific certificates from a given list of strings matching with the certificate subjects. The store names that are available for monitoring are listed in HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates.
This example configuration monitors all certificates in the local machine’s ROOT store:
instances:- certificate_store:ROOT
This example configuration monitors certificates in ROOT that have microsoft or verisign in the subject:
The parameters days_warning and days_critical are used to specify the number of days before certificate expiration from which the service check windows_certificate.cert_expiration begins emitting WARNING/CRITICAL alerts. In the below example the service check emits a WARNING alert when a certificate is 10 days from expiring and CRITICAL when it is 5 days away from expiring:
Beginning with Agent v7.69.0, the integration can monitor the expiration of certificate revocation lists (CRL) in a given certificate store. When CRL monitoring is enabled, all CRLs in that store are monitored. To enable CRL monitoring, set enable_crl_monitoring: true in the integration.
This example configuration monitors Microsoft and Verisign certificates, and all CRLs in the local machine’s CA store:
Begnning with Agent v7.70, the integration can validate certificates and their certificate chains. To enable the certificate chain validation, set the following in the integration:
The integration automatically tags all metrics and service checks with the name of the store in the certificate_store:<STORE> tag. Certificate metrics and service checks are tagged with the certificate’s subjects, thumbprints and serial numbers. CRL metrics and service checks are tagged with the CRL’s issuer and thumbprint.
Days until certificate revocation list (CRL) expiration Shown as day
windows_certificate.days_remaining (gauge)
Days until certificate expiration Shown as day
Events
The windows_certificate integration does not include any events.
Service Checks
windows_certificate.cert_expiration
Returns CRITICAL if the certificate has expired or expires in less than days_critical, returns WARNING if the certificate expires in less than days_warning, otherwise returns OK.
Statuses: ok, critical, warning
windows_certificate.crl_expiration
Returns CRITICAL if the certificate revocation list (CRL) has expired. Returns WARNING if the CRL expires in less than crl_days_warning. Otherwise, returns OK.
Statuses: ok, critical, warning
windows_certificate.cert_chain_validation
Returns CRITICAL if the certificate chain validation fails. Otherwise, returns OK.