Javier Fernandez-Sanguino
My feedback
1 result found
-
4 votes
One important thing to note here is that having an invalid certificate does NOT prevent the expiration notifications. This is independent so you can keep an "invalid" certificate forever (updown will not notify you again about this) and still benefit from expiration warnings. This way we already kind of "tolerate" this use-case of running a non-publicly trusted certificate.
About the suggested changes, I would like to avoid the custom cert/CA UI because that's a lot of added complexity for a very small use-case among my clients. It'll generate more support also as people will wonder what this do, try to upload other certificates, it'll be annoying for self-signed certificates, etc... The UI to manually "acknowledge" that one cert should be considered valid though sounds more doable for me, I'll keep this suggestion to track the demand and will probably add this someday.
An error occurred while saving the comment An error occurred while saving the comment I would like to propose this is implemented. There are organisation who run their own Certificate Authority which is valid as "advanced" certificate authority in the European Union. These CAs are used to generate certificates for all its employees (used for signature, encryption and authenticatoin) and also for internal corporate services, some of which are published over the Internet.
As these services are used only by their employees (which have the CA installed in the corporate devices including laptops and mobiles) the services need not use certificates from a "publicly" recognise CA.
When monitoring these services via updown.io these are reported as having a SSL error (Error code 19: self signed certificate in chain) . However, these are perfectly legitimate certificates.
From a monitoring point of view it would be great if a user could import the CA certificate chain and remove these errors (from their monitoring instances only). The problem with marking certs as "valid" is that the tool might not be able to detect potential certificate errors (e.g. certificate expired) which one would like to detect an solve.
Apologies for the late reply @Adrien, let me give you some example sites using certificates signed by a non-public Certificate Authority:
https://ws-aps.priv.bde.es and https://ws-prs.priv.bde.es.
Both of these sites use certificates signed by the Certification Authority of the national Central Bank of Spain (Banco de España) . The certificates of this PKI are available here: https://pki.bde.es/pkibde/en/menu/certificados_pki/ .
The public keys of these CA certificates are attached. Once installed it should be possible to validate the certificates used in the above sites.