Monitor SSL/TLS certificates with Azure Application Insights
In this article, I’ll explain what SSL/TLS encryption is, how SSL certificates are used to establish SSL/TLS encryption, and how to monitor for expiring SSL certificates using Azure Application Insights.
What is SSL/TLS?
Secure Sockets Layer (SSL), the predecessor of Transport Layer Security (TLS), is an encryption-based Internet security protocol, which ensures privacy, authentication and also the integrity of information in Internet communications. Encryption is a way to conceal information by altering it, so it appears as random data. Encryption is crucial for security on the Internet.
TLS was created in 1999 and is the up-to-date encryption protocol used today. SSL, which has not been updated since 1996, has some known vulnerabilities, and is considered insecure and deprecated. Today, the terms “SSL encryption” and “TLS encryption” are used interchangeably, but in most cases refers to TLS.
Any website with an HTTPS web address uses SSL/TLS.
What are SSL certificates?
An SSL certificate is a file hosted in a website’s server displaying important information for verifying the owner of a website, and encrypting web traffic with SSL/TLS. It includes a public key, the information about the issuer of the certificate, and the associated (sub)domains. Clients attempting to communicate with the website’s server will reference this file to get the public key and verify the server’s identity. The private key is kept and used only on the server side.
The public and private keys used for SSL are essentially long strings of characters used for encrypting and decrypting data. Data encrypted with the public key can only be decrypted with the private key, and vice versa.
SSL certificates are needed to keep user data secure, verify the ownership of the website (preventing attackers from creating fake versions of the site), and gain user trust. Many users won’t notice the difference between an http://
and an https://
web address, but modern browsers have made more noticable ways to prove websites are secure. An example is given below, where the lock shows the website is secure.
How does SSL/TLS encryption work?
Enabling secure communication begins with the “handshake”, letting the client (such as web browsers) and server open a secure connection. During the handshake the client and server use the public and private keys to exchange randomly generated data, which is used to create new (session) keys for encryption.
After the handshake, both sides use the same session keys for encryption. Once session keys are in use, the public and private keys are not used anymore. These session keys are temporary, and are not used again once the session is terminated. Whenever a new session needs to be established, new session keys will be generated for that session.
How to monitor for expiring SSL certificates using Azure Application Insights?
Prerequisites
To start monitoring for expiring SSL certificates using Azure Application Insights, make sure you have met the following prerequisites.
SSL certificate to monitor
For starters, you need an application with an SSL certificate to monitor. If you don’t have your own application, you can use any public website with an HTTPS web address.
Azure subscription
For this guide you need an Azure subscription, with a native user account that has the rights to create and edit a fresh instance of Azure Application Insights, and configure tests in Application Insights.
Azure CLI
In this guide you’ll use the Azure Cloud Shell for Azure CLI. However, if you prefer to work from your local workstation you can install the Azure CLI locally.
Creating Application Insights instance
Open the Azure Cloud Shell, either by using the link or by clicking on its icon once you are logged in to the Azure Portal.
If you are using the Azure CLI locally, you’ll first need to sign in using the az login
command to use any CLI commands.
Create a resource group
Now create the resource group by using the following command:
az group create \
--name <Name> \
--location <Region>
You’ll change the parameters according to your needs. In my case I choose the Western Europe region and I’m naming my resource group “rg-schuttencloud-ssl”.
az group create \
--name rg-schuttencloud-ssl \
--location westeurope
Install the Azure Application Insights extension
Azure CLI offers the capability to load extensions. Extensions for Azure CLI are characterized as Python wheels that aren’t shipped as part of the CLI, but run as CLI commands. The Azure Application Insights extension is not loaded by default, hence we need to install it. You install the extension by running the following command:
az extension add \
--name application-insights
Notice how Azure CLI returns a message that this extension is still in preview. You can learn more about Microsoft Azure Previews and its Terms of Use here.
Create an Azure Application Insights instance
You can now deploy Azure Application Insights resources and have a resource group to deploy them to. Create an Azure Applications Insights instance by using the following command:
az monitor app-insights component create \
--app <AppName> \
--location <Region> \
--resource-group <ResourceGroupName> \
--application-type <ApplicationType> \
--kind <KindOfApplication>
You’ll change the parameters according to your needs. In my case I choose the Western Europe region and I’m naming my application “app-sslmonitor”. I’m placing the resource in the earlier created resource group “rg-schuttencloud-ssl”. The type of application being monitored is “web” and the same goes for the kind of application that this component is referring to.
az monitor app-insights component create \
--app app-sslmonitor \
--location westeurope \
--resource-group rg-schuttencloud-ssl \
--application-type web \
--kind web
Now your Application Insights instance is deployed, we can go forward configuring our test.
Configuring the Application Insights test
Although the functionality we are going to use is in a preview state, it is a nice addition to the ping and load tests that Application Insights originally offered. To create the test, we go through the following steps (with reference to the image below):
- Within the Application Insights instance we just deployed, go to Investigate > Availability.
- Create a new standard test by clicking on Add Standard (preview) test at the top.
- The configuration window for a new default test opens. For testing purposes I have filled in the following parameters, but adjust these to your needs:
- Test name:
test-schuttencloud-ssl
. - URL:
https://schutten.cloud
, which is the application/website I will be monitoring for an expiring SSL certificate. - Parse dependent requests:
Unchecked
, as I don’t want to parse anything beyond just the SSL certificate validity. - Enable retries for availability test failures:
Unchecked
. If checked, the test will retry within 20 seconds if the test fails, and will record a failure only if it fails three times in a row. - Enable SSL certificate validity:
Checked
, as it’s the main purpose of configuring this test. Obviously, this option only works for URLs starting withhttps://
. - Proactive lifetime check:
365 days
, for testing purposes. In a production environment you’ll want to adjust this to your needs, for example to 30 days. You can choose from 1, 7, 30, 90, or 365 days. - Test frequency:
15 minutes
, as it’s the longest interval to choose from. - Test locations:
West- and North-Europe
. However, Microsoft recommends at least 5 test locations.
- Test name:
- Click on Create. The test is now created.
Results of the Application Insights test
The results of the test are displayed on the alerts page. The fastest way to display these is to click on the three dots and go to Open Rules (Alerts) page. In my case, an error has (expectedly) been issued, because my SSL certificate is not valid for 365 days or longer. From here you could add notifications and action groups to the alert rule.
Conclusion
In this article, you have read what SSL/TLS is, what SSL certificates are, how SSL/TLS encryption works, and how to monitor for expiring SSL certificates using Azure Application Insights. Obviously, there is more than one solution to monitor the expiration of SSL certificates. For example, it is possible to monitor the expiration of SSL certificates based on self-made scripts (for example with PowerShell), possibly with integration into your existing monitoring solution. In addition, there are third-party vendors that offer tools with the ability to monitor the expiration of SSL certificates, such as:
Ultimately, the choice for a monitoring solution will have to arise from the wishes and needs of your specific organization. Nevertheless, preventing expired SSL certificates will always be on the must-do list, especially now that you are familiar with its function and importance after reading this article.
Author: Rolf Schutten
Posted on: April 1, 2022