SSL Certificate Monitor extension
- Latest Dynatrace
- Extension
- Published Oct 27, 2025
Discover, view and log SSL certificates. Raise configurable expiration alerts.
Get started
Overview
SSL Certificate Monitor is capable of discovering, viewing and logging SSL certificates.
The SSL Certificate Monitor extension can be deployed on an ActiveGate or on any host with the OneAgent installed.
Both deployments types have configurable alerting intervals, allowing the raising of low severity problems for certificates in a user defined renewal window as well as a high severity alerts for imminently approaching expiration dates.
When deployed on an ActiveGate, the extension can be configured to perform certificate checks by specifying specific domains to check.
When deployed on an OneAgent, the extension will attempt certificate auto-discovery using data provided by the OneAgent.
Use cases
- Discover and monitor certificates on OneAgent-installed hosts.
- Remotely monitor certificates using domain based monitoring on an ActiveGate.
- Configure alerting for certificates that are expiring soon, so action can be taken before expiration.
Activation and setup
-
Monitor remotely—the purpose of remote monitoring deployment is to activate certificate monitoring by URL. This type of monitoring requires that the ActiveGate running the extension has access to the URLs that are provided. Adjustments to networking and firewall rules may be required. When this deployment model is chosen, certificate discovery is deactivated, and a list of URLs must be provided to activate certificate monitoring.
Select Monitor Remotely without OneAgent to choose this installation type, and choose the ActiveGate group on which you want to run the extension.
-
Monitor Locally—local monitoring is required for the certificate auto-discovery that uses the OneAgent. The extension will be installed on selected hosts. Currently, hosts can be selected by name, host group, management zone or tag (using the Environment configuration).
Once the deployment option is selected, continue configuring the extension.
General configuration settings available to you:
Expiration Soon
- Problem Severity: RESOURCE.
- Trigger: Certificate is approaching expiration but not yet critical.
- Action: Early warning to prompt attention and planning for renewal.
Expiration Imminent
- Problem Severity: ERROR.
- Trigger: Certificate is very close to expiring (within a critical threshold).
- Action: Highest alert level for a still-valid certificate; immediate action required.
Problem creation levels
-
AVAILABILITY: Expired certificates generate an alert on this level.
-
ERROR: Certificates in Stage 2 (expiration imminent) will alert on this level.
-
RESOURCE: Certificates in Stage 1 (expiration soon) will alert on this level.
-
Interval between certificate discovery and metadata checks (hours). The frequency with which the extension will update discovered certificates and process the available data. During initial setup and testing, a smaller value may be appropriate. Once the extension is fully configured, an interval of eight hours is recommended. In addition to determining how often certificate discovery and metadata updates take place, the check interval determines how problems are resolved. All certificate problems will remain open until a certificate check can confirm that the problem has been resolved. An interval of 24 hours will cause a certificate problem to remain open for minimum 24 hours. The problem will not resolve until the next check can determine if the problem is resolved.
-
Unified Analysis Screens and Certificate Status Metric. Unified Analysis Screens contain metadata on all discovered certificates. This features requires the collection of data using the Certificate Status metric (
certificate.monitor.status). For the best experience, it is recommended to activate metric collection. When deactivated, extension functionality is limited to alert creation and log events. This option consumes DDUs.
Advanced alerting configuration:
- Activate alert creation. Disabling alert creation stops all alerts from being created by the extension. This is useful for customers who want to keep an inventory of certificates but not alert on them.
-
Deactivate alerts for certificates greater than x days old. By default, alerts will be raised for all expired certificates. Many environments contain long-expired certificates that have not been removed. Activate this feature to suppress problems for certificates that expired more than
xdays ago. -
Raise alerts for certificate discovery errors. These settings are useful for troubleshooting and setting port and technology exclusion filters to deactivate unwanted checks. Full details will always be available in the logs. Where available, the alert details
troubleshootingproperty will provide suggestions for solving the issue. -
Raise alerts for OneAgent certificate discovery errors. By default, the extension attempts to extract certificates from all listening ports detected by the OneAgent. However, many of these application servers do not use SSL/TLS and therefore do not present a certificate. Enabling this setting will trigger alerts whenever the extension fails to extract a certificate from a port—regardless of whether a certificate is present. This includes ports that are not secured with SSL/TLS.
Problems will only be visible if a least one certificate is detected on host. This setting will have no affect on remote deployments. It is not recommended to keep this setting activated, as the will create alert noise during normal operation.
-
Raise alerts for domain based certificate discovery errors. Activate this feature to raise alerts for domain-based certificate discovery errors. This includes situations where a domain cannot be reached and if a certificate cannot be extracted. The extension will only check domains for certificates when the user has explicitly configured the extension to do so. It is recommended to activate this setting to ensure that any issues encountered during the discovery process are reported.
Port blocklist configuration:
-
Activate blocklist. By default, the extension will exclude ports from certificate checks that have previously returned no certificates. Disabling the blocklist will cause all listening ports detected by the OneAgent to be checked for certificates at each monitoring interval.
-
Activate allowlist configuration. Use this setting to ensure ports are checked even if they have previously returned no certificates.
-
Clear blocklist cache. Use this setting to clear the blocklist cache. This will remove all previously blocklisted ports and allow the extension to check them again. Clearing the cache is a two step process. First, activate this setting, then deactivate after ten minutes and the monitoring configuration has been updated. The blocklist will be effectively deactivated as long as "clear blocklist cache" is activated.
When the extension is deployed locally (on a host with the OneAgent), the extension uses data collected by the OneAgent to collect a list of processes that have listening ports bound to them. Using this information, the extension attempts to establish a connection on that port and load any certificates that are present. Many of these detected port bindings do not have certificates bound to them and, as a result, no certificate is returned. Port blocklisting ensures that these ports are not continuously queried for certificates, reducing unnecessary network activity and potential side effects.
Port range customization
An optional feature to define inclusive and exclusive port ranges during certificate discovery:
-
Port range to include. A range of ports can be expressed with a hyphen. Individual or groups of ports can be separated with a semicolon. i.e.
443;1024-2000;50000-51000. -
Port range to exclude. An optional range of ports to exclude. This setting is applied after the include rule. For example, if ports
400-410are included and port405is excluded, the resulting set of ports will be400-404and406-410.
Filter processes by technology type (optional setting to limit certificate checks to specific technology type):
-
Add technology to the filter defined above. The technology types available are the "Main Technology" types that are present in process views. Some processes will show multiple entries under "Main technology". Technology type filter uses
ORlogic. A process that lists "IIS, IIS App Pool and .NET" as main technologies will be monitored if any combination of the technologies is added to this filter.This filter can be set to include only the technologies listed or to exclude the technologies listed from monitoring.
Additional SNI domains
An optional setting to configure additional Server Name Indication domains:
- Add domain. An advanced setting to provide a list of domains to use in with Server Name Indication. SNI is an extension to the TLS protocol which is used in HTTPS. Use this setting to specify the domain name of a website during the initial TLS Handshake instead of when the HTTPS connection opens after the handshake.
Log certificate status:
- Log certificate status interval. The extension will log event metadata when a certificate is in a warning state. In addition, the extension will also periodically log certificate metadata of certificates in a healthy state. The purpose of this setting is to make it possible to query for certificate metadata regardless of the health state of the certificate.
Check hosts by domain name (optional list of domains to check directly):
-
Add domain. Optionally provide a list of domains that they extension will check directly.
The extension will attempt to open a connection to the domains provided. This feature requires that the extension host is able to establish a connection to the domain. Currently in early preview. Only monitor a domain on a single local monitoring configuration. In most cases, it is recommended to deploy this extension remotely (on an ActiveGate) for domain based monitoring.
Activate debug—check this box to activate debug level logging. Logs are available (by default) on Linux at: /var/lib/dynatrace/remotepluginmodule/log/extensions/datasources and on Windows at: C:\ProgramData\dynatrace\remotepluginmodule\log\extensions\datasources.
Details
The extensions uses four methods to discover certificates.
-
Certificate Auto-discovery. When the extension is deployed locally (on a host with the OneAgent), the extension uses data collected by the OneAgent to collect a list of processes that have listening ports bound to them. Using this information, the extension then attempts to establish a connection on that port and load any certificates that are present.
-
Windows Active Port Discovery. On Windows hosts, in cases where the OneAgent does not have port information for a particular technology, Active Port Discovery can be used. This feature requires the use of the
Get-NetTCPConnectionPowerShell tool on Windows systems. Activating this feature will have no effect on Linux systems. -
Scan Windows Certificate Stores. This feature will directly scan the Windows Certificate Store for certificates. This feature uses PowerShell on Windows systems. Activating this feature will have no effect on Linux systems. This method allows the extension to know which Certificate Store the certificate is stored in.
-
Remote Domain Discovery. When the extension is deployed on an ActiveGate, certificate monitoring by domain name is possible. This type of monitoring requires that the ActiveGate running the extension has access to the domains that are provided. Adjustments to networking and firewall rules may be required. Based on the list of domains supplied, the extension attempts to establish a connection and load any certificates that are present. When using this method, the extension has no knowledge of the host the certificate is stored on and is unable to form a relationship between the certificate and a host.
Once a certificate is collected, it is parsed and useful metadata is collected and pushed to Dynatrace. This information is then available in the form of Certificate entities that, where possible, are related to the host and process that they are discovered through. The default behavior of the extension is to create alerts based on the expiration dates of the certificate.
Licensing and cost
Annual DDU consumption is calculated using the following formula:
<# of discovered certificates> x <24 / certificate check interval (hours)> x 365 x 0.001.
For example, a single certificate checked every eight hours will consume ~1.1 (1 x (24/8) x 365 x 0.001) DDUs per year.
Troubleshooting
Most auto-discovery failures are due to lack of port metadata within Dynatrace monitored processes. If auto-discovery fails, the Monitor by domain feature will cover some scenarios. This feature allows the monitoring of certificates by a domain name.
Future versions will expand auto-discovery to cover a wider range of scenarios.
Please open a support ticket with Dynatrace Support to document your use case—it will help improve future versions.
Feature sets
When activating your extension using monitoring configuration, you can limit monitoring to one of the feature sets. To work properly the extension has to collect at least one metric after the activation.
In highly segmented networks, feature sets can reflect the segments of your environment. Then, when you create a monitoring configuration, you can select a feature set and a corresponding ActiveGate group that can connect to this particular segment.
All metrics that aren't categorized into any feature set are considered to be the default and are always reported.
A metric inherits the feature set of a subgroup, which in turn inherits the feature set of a group. Also, the feature set defined on the metric level overrides the feature set defined on the subgroup level, which in turn overrides the feature set defined on the group level.
enhancedMetric
| Metric name | Metric key | Description |
|---|---|---|
| Certificate status | certificate.monitor.status | The status of detected certificates |
