Windows Certificate Store

Docs > Integrations > Windows Certificate Store

Supported OS Windows

Overview

This integration monitors the Local Machine certificates in the Windows Certificate Store to check whether any of have expired.

Setup

Installation

The Windows Certificate Store integration is included in the Datadog Agent package but requires configuration (see instructions below).

Configuration

Edit the windows_certificate.d/conf.yaml file, in the conf.d/ folder at the root of your Agent’s configuration directory. See the sample windows_certificate.d/conf.yaml for all available configuration options. When you are done editing the configuration file, restart the Agent to load the new configuration.

The integration can monitor the expiration of all certificates in a given store or selectively monitor specific certificates from a given list of strings matching with the certificate subjects. The store names that are available for monitoring are listed in HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates.

This example configuration monitors all certificates in the local machine’s ROOT store:

instances:
  - certificate_store: ROOT

This example configuration monitors certificates in ROOT that have microsoft or verisign in the subject:

instances:
  - certificate_store: ROOT
    certificate_subjects:
      - microsoft
      - verisign

The parameters days_warning and days_critical are used to specify the number of days before certificate expiration from which the service check windows_certificate.cert_expiration begins emitting WARNING/CRITICAL alerts. In the below example the service check emits a WARNING alert when a certificate is 10 days from expiring and CRITICAL when it is 5 days away from expiring:

instances:
  - certificate_store: ROOT
    certificate_subjects:
      - microsoft
      - verisign
    days_warning: 10
    days_critical: 5

Validation

Run the Agent’s status subcommand and look for windows_certificate under the Checks section.

Data Collected

Metrics

windows_certificate.days_remaining
(gauge)

Days until certificate expiration
Shown as day

Events

The windows_certificate integration does not include any events.

Service Checks

windows_certificate.cert_expiration
Returns CRITICAL if the certificate has expired or expires in less than days_critical, returns WARNING if the certificate expires in less than days_warning, otherwise returns OK.
Statuses: ok, critical, warning

Troubleshooting

Need help? Contact Datadog support.