Import CA for all checks, or import "valid" certificate by check
For some reason, we have certificats only valide by our internal CA Root (not validate by a CA Authority) for disable warn/fail but keep expiration feature we need one of those feature:
- import cert by service
- import ca root by account
- an interface validation to valide the actual certificate.
One important thing to note here is that having an invalid certificate does NOT prevent the expiration notifications. This is independent so you can keep an "invalid" certificate forever (updown will not notify you again about this) and still benefit from expiration warnings. This way we already kind of "tolerate" this use-case of running a non-publicly trusted certificate.
About the suggested changes, I would like to avoid the custom cert/CA UI because that's a lot of added complexity for a very small use-case among my clients. It'll generate more support also as people will wonder what this do, try to upload other certificates, it'll be annoying for self-signed certificates, etc... The UI to manually "acknowledge" that one cert should be considered valid though sounds more doable for me, I'll keep this suggestion to track the demand and will probably add this someday.
Thanks @Javier, I made a longer reply by email but the TL;DR for people following this suggestion is that these websites not only use a custom CA cert, they also require TLS Client Certificates. So even implementing custom CA root cert would not be enough, and implementing also client certificates makes the endaevor quite bigger. The clients who needs this are very few and mostly enterprise which updown does not target. So I'm not gonna move ahead on this one, but I'm keeping the suggestion open to gather interest for later, and so I can notify you in case of changes.
The "acknowledge" mentionned earlier might be implemented but it wouldn't help well in @Javier case and there's dozens of way to implement this so I'm still waiting for more occurences and experience before doing it.
Javier Fernandez-Sanguino commented
Both of these sites use certificates signed by the Certification Authority of the national Central Bank of Spain (Banco de España) . The certificates of this PKI are available here: https://pki.bde.es/pkibde/en/menu/certificados_pki/ .
The public keys of these CA certificates are attached. Once installed it should be possible to validate the certificates used in the above sites.
Thanks for your feedback @Javier. Do you have some example websites and the associated CA public key so I can run some tests? You can send this to email@example.com. Thanks.
Javier Fernandez-Sanguino commented
I would like to propose this is implemented. There are organisation who run their own Certificate Authority which is valid as "advanced" certificate authority in the European Union. These CAs are used to generate certificates for all its employees (used for signature, encryption and authenticatoin) and also for internal corporate services, some of which are published over the Internet.
As these services are used only by their employees (which have the CA installed in the corporate devices including laptops and mobiles) the services need not use certificates from a "publicly" recognise CA.
When monitoring these services via updown.io these are reported as having a SSL error (Error code 19: self signed certificate in chain) . However, these are perfectly legitimate certificates.
From a monitoring point of view it would be great if a user could import the CA certificate chain and remove these errors (from their monitoring instances only). The problem with marking certs as "valid" is that the tool might not be able to detect potential certificate errors (e.g. certificate expired) which one would like to detect an solve.