|
|
|
|
|
|
by justin_oaks
1596 days ago
|
|
|
I tried looking for more information, but all I can see without logging in is the basics put up on the front page. So, I'll ask my questions here. Is expiration monitoring done solely through certificate transparency logs or also by connecting to the host? I assume both, but I couldn't find a confirmation of this. Can the service monitor hosts that aren't accessible publicly? For example, using an agent running inside a company's internal network. If the answer above is "Yes" then a follow up question is:
Does this service support certificate checking for certificates that aren't on certificate transparency logs? That is, certificates generated from a company's internal certificate authority. |
|
|
For every detected host, the app periodically performs an SSL handshake (HTTPS only), and checks for the expiration of the served cert. CT is used to detect new certs, and extract relevant hosts from these certs.
> Can the service monitor hosts that aren't accessible publicly?
Nope, this runs as a Heroku app right now, and will work with publicly accessible HTTPS-serving hosts only.
> Does this service support certificate checking for certificates that aren't on certificate transparency logs?
Yes, CT is used to detect new hosts automatically. The app also relies on the SANS of the certs it finds, spreading as wide as possible within the domain of interest. The actual checking of certs is a simple HTTPS handshake and inspection of the served cert.