This template is for Zabbix version: 7.0

Also available for: 6.4 6.2 6.0 5.4 5.0

Source: https://git.zabbix.com/projects/ZBX/repos/zabbix/browse/templates/app/certificate_agent2?at=release/7.0

Website certificate by Zabbix agent 2

Overview

The template to monitor TLS/SSL certificate on the website by Zabbix agent 2 that works without any external scripts. Zabbix agent 2 with the WebCertificate plugin requests certificate using the web.certificate.get key and returns JSON with certificate attributes.

Requirements

Zabbix version: 7.0 and higher.

Tested versions

This template has been tested on:

Website TLS/SSL certificate

Configuration

Zabbix should be configured according to the instructions in the Templates out of the box section.

Setup

1. Setup and configure zabbix-agent2 with the WebCertificate plugin.

2. Test availability: zabbix_get -s <zabbix_agent_addr> -k web.certificate.get[<website_DNS_name>]

3. Create a host for the TLS/SSL certificate with Zabbix agent interface.

4. Link the template to the host.

5. Customize the value of {$CERT.WEBSITE.HOSTNAME} macro.

Macros used

Name	Description	Default
{$CERT.EXPIRY.WARN}	Number of days until the certificate expires.	`7`
{$CERT.WEBSITE.HOSTNAME}	The website DNS name for the connection.	`<Put DNS name>`
{$CERT.WEBSITE.PORT}	The TLS/SSL port number of the website.	`443`
{$CERT.WEBSITE.IP}	The website IP address for the connection.

Items

Name	Description	Type	Key and additional info
Get	Returns the JSON with attributes of a certificate of the requested site.	Zabbix agent	web.certificate.get[{$CERT.WEBSITE.HOSTNAME},{$CERT.WEBSITE.PORT},{$CERT.WEBSITE.IP}] Preprocessing Discard unchanged with heartbeat: `6h`
Validation result	The certificate validation result. Possible values: valid/invalid/valid-but-self-signed	Dependent item	cert.validation Preprocessing JSON Path: `$.result.value`
Last validation status	Last check result message.	Dependent item	cert.message Preprocessing JSON Path: `$.result.message`
Version	The version of the encoded certificate.	Dependent item	cert.version Preprocessing JSON Path: `$.x509.version`
Serial number	The serial number is a positive integer assigned by the CA to each certificate. It is unique for each certificate issued by a given CA. Non-conforming CAs may issue certificates with serial numbers that are negative or zero.	Dependent item	cert.serial_number Preprocessing JSON Path: `$.x509.serial_number`
Signature algorithm	The algorithm identifier for the algorithm used by the CA to sign the certificate.	Dependent item	cert.signature_algorithm Preprocessing JSON Path: `$.x509.signature_algorithm`
Issuer	The field identifies the entity that has signed and issued the certificate.	Dependent item	cert.issuer Preprocessing JSON Path: `$.x509.issuer`
Valid from	The date on which the certificate validity period begins.	Dependent item	cert.not_before Preprocessing JSON Path: `$.x509.not_before.timestamp`
Expires on	The date on which the certificate validity period ends.	Dependent item	cert.not_after Preprocessing JSON Path: `$.x509.not_after.timestamp`
Subject	The field identifies the entity associated with the public key stored in the subject public key field.	Dependent item	cert.subject Preprocessing JSON Path: `$.x509.subject`
Subject alternative name	The subject alternative name extension allows identities to be bound to the subject of the certificate. These identities may be included in addition to or in place of the identity in the subject field of the certificate. Defined options include an Internet electronic mail address, a DNS name, an IP address, and a Uniform Resource Identifier (URI).	Dependent item	cert.alternative_names Preprocessing JSON Path: `$.x509.alternative_names`
Public key algorithm	The digital signature algorithm is used to verify the signature of a certificate.	Dependent item	cert.public_key_algorithm Preprocessing JSON Path: `$.x509.public_key_algorithm`
Fingerprint	The Certificate Signature (SHA1 Fingerprint or Thumbprint) is the hash of the entire certificate in DER form.	Dependent item	cert.sha1_fingerprint Preprocessing JSON Path: `$.sha1_fingerprint`

Triggers

Name	Description	Expression	Severity	Dependencies and additional info
SSL certificate is invalid	SSL certificate has expired or it is issued for another domain.	`find(/Website certificate by Zabbix agent 2/cert.validation,,"like","invalid")=1`	High
SSL certificate expires soon	The SSL certificate should be updated or it will become untrusted.	`(last(/Website certificate by Zabbix agent 2/cert.not_after) - now()) / 86400 < {$CERT.EXPIRY.WARN}`	Warning	Depends on: SSL certificate is invalid
Fingerprint has changed	The SSL certificate fingerprint has changed. If you did not update the certificate, it may mean your certificate has been hacked. Acknowledge to close the problem manually. There could be multiple valid certificates on some installations. In this case, the trigger will have a false positive. You can ignore it or disable the trigger.	`last(/Website certificate by Zabbix agent 2/cert.sha1_fingerprint) <> last(/Website certificate by Zabbix agent 2/cert.sha1_fingerprint,#2)`	Info	Manual close: Yes

Feedback

Please report any issues with the template at https://support.zabbix.com

You can also provide feedback, discuss the template, or ask for help at ZABBIX forums

This template is for Zabbix version: 6.4

Also available for: 7.0 6.2 6.0 5.4 5.0

Source: https://git.zabbix.com/projects/ZBX/repos/zabbix/browse/templates/app/certificate_agent2?at=release/6.4

Website certificate by Zabbix agent 2

Overview

The template to monitor TLS/SSL certificate on the website by Zabbix agent 2 that works without any external scripts. Zabbix agent 2 with the WebCertificate plugin requests certificate using the web.certificate.get key and returns JSON with certificate attributes.

Requirements

Zabbix version: 6.4 and higher.

Tested versions

This template has been tested on:

Website TLS/SSL certificate

Configuration

Zabbix should be configured according to the instructions in the Templates out of the box section.

Setup

1. Setup and configure zabbix-agent2 with the WebCertificate plugin.

2. Test availability: zabbix_get -s <zabbix_agent_addr> -k web.certificate.get[<website_DNS_name>]

3. Create a host for the TLS/SSL certificate with Zabbix agent interface.

4. Link the template to the host.

5. Customize the value of {$CERT.WEBSITE.HOSTNAME} macro.

Macros used

Name	Description	Default
{$CERT.EXPIRY.WARN}	Number of days until the certificate expires.	`7`
{$CERT.WEBSITE.HOSTNAME}	The website DNS name for the connection.	`<Put DNS name>`
{$CERT.WEBSITE.PORT}	The TLS/SSL port number of the website.	`443`
{$CERT.WEBSITE.IP}	The website IP address for the connection.

Items

Name	Description	Type	Key and additional info
Cert: Get	Returns the JSON with attributes of a certificate of the requested site.	Zabbix agent	web.certificate.get[{$CERT.WEBSITE.HOSTNAME},{$CERT.WEBSITE.PORT},{$CERT.WEBSITE.IP}] Preprocessing Discard unchanged with heartbeat: `6h`
Cert: Validation result	The certificate validation result. Possible values: valid/invalid/valid-but-self-signed	Dependent item	cert.validation Preprocessing JSON Path: `$.result.value`
Cert: Last validation status	Last check result message.	Dependent item	cert.message Preprocessing JSON Path: `$.result.message`
Cert: Version	The version of the encoded certificate.	Dependent item	cert.version Preprocessing JSON Path: `$.x509.version`
Cert: Serial number	The serial number is a positive integer assigned by the CA to each certificate. It is unique for each certificate issued by a given CA. Non-conforming CAs may issue certificates with serial numbers that are negative or zero.	Dependent item	cert.serial_number Preprocessing JSON Path: `$.x509.serial_number`
Cert: Signature algorithm	The algorithm identifier for the algorithm used by the CA to sign the certificate.	Dependent item	cert.signature_algorithm Preprocessing JSON Path: `$.x509.signature_algorithm`
Cert: Issuer	The field identifies the entity that has signed and issued the certificate.	Dependent item	cert.issuer Preprocessing JSON Path: `$.x509.issuer`
Cert: Valid from	The date on which the certificate validity period begins.	Dependent item	cert.not_before Preprocessing JSON Path: `$.x509.not_before.timestamp`
Cert: Expires on	The date on which the certificate validity period ends.	Dependent item	cert.not_after Preprocessing JSON Path: `$.x509.not_after.timestamp`
Cert: Subject	The field identifies the entity associated with the public key stored in the subject public key field.	Dependent item	cert.subject Preprocessing JSON Path: `$.x509.subject`
Cert: Subject alternative name	The subject alternative name extension allows identities to be bound to the subject of the certificate. These identities may be included in addition to or in place of the identity in the subject field of the certificate. Defined options include an Internet electronic mail address, a DNS name, an IP address, and a Uniform Resource Identifier (URI).	Dependent item	cert.alternative_names Preprocessing JSON Path: `$.x509.alternative_names`
Cert: Public key algorithm	The digital signature algorithm is used to verify the signature of a certificate.	Dependent item	cert.public_key_algorithm Preprocessing JSON Path: `$.x509.public_key_algorithm`
Cert: Fingerprint	The Certificate Signature (SHA1 Fingerprint or Thumbprint) is the hash of the entire certificate in DER form.	Dependent item	cert.sha1_fingerprint Preprocessing JSON Path: `$.sha1_fingerprint`

Triggers

Name	Description	Expression	Severity	Dependencies and additional info
Cert: SSL certificate is invalid	SSL certificate has expired or it is issued for another domain.	`find(/Website certificate by Zabbix agent 2/cert.validation,,"like","invalid")=1`	High
Cert: SSL certificate expires soon	The SSL certificate should be updated or it will become untrusted.	`(last(/Website certificate by Zabbix agent 2/cert.not_after) - now()) / 86400 < {$CERT.EXPIRY.WARN}`	Warning	Depends on: Cert: SSL certificate is invalid
Cert: Fingerprint has changed	The SSL certificate fingerprint has changed. If you did not update the certificate, it may mean your certificate has been hacked. Acknowledge to close the problem manually. There could be multiple valid certificates on some installations. In this case, the trigger will have a false positive. You can ignore it or disable the trigger.	`last(/Website certificate by Zabbix agent 2/cert.sha1_fingerprint) <> last(/Website certificate by Zabbix agent 2/cert.sha1_fingerprint,#2)`	Info	Manual close: Yes

Feedback

Please report any issues with the template at https://support.zabbix.com

You can also provide feedback, discuss the template, or ask for help at ZABBIX forums

This template is for Zabbix version: 6.2

Also available for: 7.0 6.4 6.0 5.4 5.0

Source: https://git.zabbix.com/projects/ZBX/repos/zabbix/browse/templates/app/certificate_agent2?at=release/6.2

Website certificate by Zabbix agent 2

Overview

For Zabbix version: 6.2 and higher
The template to monitor TLS/SSL certificate on the website by Zabbix agent 2 that works without any external scripts. Zabbix agent 2 with the WebCertificate plugin requests certificate using the web.certificate.get key and returns JSON with certificate attributes.

Setup

See Zabbix template operation for basic instructions.

1. Setup and configure zabbix-agent2 with the WebCertificate plugin.

2. Test availability: zabbix_get -s <zabbix_agent_addr> -k web.certificate.get[<website_DNS_name>]

3. Create a host for the TLS/SSL certificate with Zabbix agent interface.

4. Link the template to the host.

5. Customize the value of {$CERT.WEBSITE.HOSTNAME} macro.

Zabbix configuration

No specific Zabbix configuration is required.

Macros used

Name	Description	Default
{$CERT.EXPIRY.WARN}	Number of days until the certificate expires.	`7`
{$CERT.WEBSITE.HOSTNAME}	The website DNS name for the connection.	`<Put DNS name>`
{$CERT.WEBSITE.IP}	The website IP address for the connection.	``
{$CERT.WEBSITE.PORT}	The TLS/SSL port number of the website.	`443`

Template links

There are no template links in this template.

Discovery rules

Items collected

Group	Name	Description	Type	Key and additional info
General	Cert: Validation result	The certificate validation result. Possible values: valid/invalid/valid-but-self-signed	DEPENDENT	cert.validation Preprocessing: - JSONPATH: `$.result.value`
General	Cert: Last validation status	Last check result message.	DEPENDENT	cert.message Preprocessing: - JSONPATH: `$.result.message`
General	Cert: Version	The version of the encoded certificate.	DEPENDENT	cert.version Preprocessing: - JSONPATH: `$.x509.version`
General	Cert: Serial number	The serial number is a positive integer assigned by the CA to each certificate. It is unique for each certificate issued by a given CA. Non-conforming CAs may issue certificates with serial numbers that are negative or zero.	DEPENDENT	cert.serial_number Preprocessing: - JSONPATH: `$.x509.serial_number`
General	Cert: Signature algorithm	The algorithm identifier for the algorithm used by the CA to sign the certificate.	DEPENDENT	cert.signature_algorithm Preprocessing: - JSONPATH: `$.x509.signature_algorithm`
General	Cert: Issuer	The field identifies the entity that has signed and issued the certificate.	DEPENDENT	cert.issuer Preprocessing: - JSONPATH: `$.x509.issuer`
General	Cert: Valid from	The date on which the certificate validity period begins.	DEPENDENT	cert.not_before Preprocessing: - JSONPATH: `$.x509.not_before.timestamp`
General	Cert: Expires on	The date on which the certificate validity period ends.	DEPENDENT	cert.not_after Preprocessing: - JSONPATH: `$.x509.not_after.timestamp`
General	Cert: Subject	The field identifies the entity associated with the public key stored in the subject public key field.	DEPENDENT	cert.subject Preprocessing: - JSONPATH: `$.x509.subject`
General	Cert: Subject alternative name	The subject alternative name extension allows identities to be bound to the subject of the certificate. These identities may be included in addition to or in place of the identity in the subject field of the certificate. Defined options include an Internet electronic mail address, a DNS name, an IP address, and a Uniform Resource Identifier (URI).	DEPENDENT	cert.alternative_names Preprocessing: - JSONPATH: `$.x509.alternative_names`
General	Cert: Public key algorithm	The digital signature algorithm is used to verify the signature of a certificate.	DEPENDENT	cert.public_key_algorithm Preprocessing: - JSONPATH: `$.x509.public_key_algorithm`
General	Cert: Fingerprint	The Certificate Signature (SHA1 Fingerprint or Thumbprint) is the hash of the entire certificate in DER form.	DEPENDENT	cert.sha1_fingerprint Preprocessing: - JSONPATH: `$.sha1_fingerprint`
Zabbix raw items	Cert: Get	Returns the JSON with attributes of a certificate of the requested site.	ZABBIX_PASSIVE	web.certificate.get[{$CERT.WEBSITE.HOSTNAME},{$CERT.WEBSITE.PORT},{$CERT.WEBSITE.IP}] Preprocessing: - DISCARD_UNCHANGED_HEARTBEAT: `6h`

Triggers

Name Description Expression Severity Dependencies and additional info

Cert: SSL certificate is invalid

Name	Description	Expression	Severity	Dependencies and additional info
Cert: SSL certificate is invalid	SSL certificate has expired or it is issued for another domain.	`find(/Website certificate by Zabbix agent 2/cert.validation,,"like","invalid")=1`	HIGH
Cert: SSL certificate expires soon	The SSL certificate should be updated or it will become untrusted.	`(last(/Website certificate by Zabbix agent 2/cert.not_after) - now()) / 86400 < {$CERT.EXPIRY.WARN}`	WARNING	Depends on: - Cert: SSL certificate is invalid
Cert: Fingerprint has changed	The SSL certificate fingerprint has changed. If you did not update the certificate, it may mean your certificate has been hacked. Ack to close. There could be multiple valid certificates on some installations. In this case, the trigger will have a false positive. You can ignore it or disable the trigger.	`last(/Website certificate by Zabbix agent 2/cert.sha1_fingerprint) <> last(/Website certificate by Zabbix agent 2/cert.sha1_fingerprint,#2)`	INFO	Manual close: YES

SSL certificate has expired or it is issued for another domain.

find(/Website certificate by Zabbix agent 2/cert.validation,,"like","invalid")=1

HIGH

Cert: SSL certificate expires soon

The SSL certificate should be updated or it will become untrusted.

(last(/Website certificate by Zabbix agent 2/cert.not_after) - now()) / 86400 < {$CERT.EXPIRY.WARN}

WARNING

Depends on:

- Cert: SSL certificate is invalid

Cert: Fingerprint has changed

The SSL certificate fingerprint has changed. If you did not update the certificate, it may mean your certificate has been hacked. Ack to close.

There could be multiple valid certificates on some installations. In this case, the trigger will have a false positive. You can ignore it or disable the trigger.

last(/Website certificate by Zabbix agent 2/cert.sha1_fingerprint) <> last(/Website certificate by Zabbix agent 2/cert.sha1_fingerprint,#2)

INFO

Manual close: YES

Feedback

Please report any issues with the template at https://support.zabbix.com

You can also provide feedback, discuss the template or ask for help with it at ZABBIX forums.

This template is for Zabbix version: 6.0

Also available for: 7.0 6.4 6.2 5.4 5.0

Source: https://git.zabbix.com/projects/ZBX/repos/zabbix/browse/templates/app/certificate_agent2?at=release/6.0

Website certificate by Zabbix agent 2

Overview

The template to monitor TLS/SSL certificate on the website by Zabbix agent 2 that works without any external scripts. Zabbix agent 2 with the WebCertificate plugin requests certificate using the web.certificate.get key and returns JSON with certificate attributes.

Requirements

Zabbix version: 6.0 and higher.

Tested versions

This template has been tested on:

Website TLS/SSL certificate

Configuration

Zabbix should be configured according to the instructions in the Templates out of the box section.

Setup

1. Setup and configure zabbix-agent2 with the WebCertificate plugin.

2. Test availability: zabbix_get -s <zabbix_agent_addr> -k web.certificate.get[<website_DNS_name>]

3. Create a host for the TLS/SSL certificate with Zabbix agent interface.

4. Link the template to the host.

5. Customize the value of {$CERT.WEBSITE.HOSTNAME} macro.

Macros used

Name	Description	Default
{$CERT.EXPIRY.WARN}	Number of days until the certificate expires.	`7`
{$CERT.WEBSITE.HOSTNAME}	The website DNS name for the connection.	`<Put DNS name>`
{$CERT.WEBSITE.PORT}	The TLS/SSL port number of the website.	`443`
{$CERT.WEBSITE.IP}	The website IP address for the connection.

Items

Name	Description	Type	Key and additional info
Cert: Get	Returns the JSON with attributes of a certificate of the requested site.	Zabbix agent	web.certificate.get[{$CERT.WEBSITE.HOSTNAME},{$CERT.WEBSITE.PORT},{$CERT.WEBSITE.IP}] Preprocessing Discard unchanged with heartbeat: `6h`
Cert: Validation result	The certificate validation result. Possible values: valid/invalid/valid-but-self-signed	Dependent item	cert.validation Preprocessing JSON Path: `$.result.value`
Cert: Last validation status	Last check result message.	Dependent item	cert.message Preprocessing JSON Path: `$.result.message`
Cert: Version	The version of the encoded certificate.	Dependent item	cert.version Preprocessing JSON Path: `$.x509.version`
Cert: Serial number	The serial number is a positive integer assigned by the CA to each certificate. It is unique for each certificate issued by a given CA. Non-conforming CAs may issue certificates with serial numbers that are negative or zero.	Dependent item	cert.serial_number Preprocessing JSON Path: `$.x509.serial_number`
Cert: Signature algorithm	The algorithm identifier for the algorithm used by the CA to sign the certificate.	Dependent item	cert.signature_algorithm Preprocessing JSON Path: `$.x509.signature_algorithm`
Cert: Issuer	The field identifies the entity that has signed and issued the certificate.	Dependent item	cert.issuer Preprocessing JSON Path: `$.x509.issuer`
Cert: Valid from	The date on which the certificate validity period begins.	Dependent item	cert.not_before Preprocessing JSON Path: `$.x509.not_before.timestamp`
Cert: Expires on	The date on which the certificate validity period ends.	Dependent item	cert.not_after Preprocessing JSON Path: `$.x509.not_after.timestamp`
Cert: Subject	The field identifies the entity associated with the public key stored in the subject public key field.	Dependent item	cert.subject Preprocessing JSON Path: `$.x509.subject`
Cert: Subject alternative name	The subject alternative name extension allows identities to be bound to the subject of the certificate. These identities may be included in addition to or in place of the identity in the subject field of the certificate. Defined options include an Internet electronic mail address, a DNS name, an IP address, and a Uniform Resource Identifier (URI).	Dependent item	cert.alternative_names Preprocessing JSON Path: `$.x509.alternative_names`
Cert: Public key algorithm	The digital signature algorithm is used to verify the signature of a certificate.	Dependent item	cert.public_key_algorithm Preprocessing JSON Path: `$.x509.public_key_algorithm`
Cert: Fingerprint	The Certificate Signature (SHA1 Fingerprint or Thumbprint) is the hash of the entire certificate in DER form.	Dependent item	cert.sha1_fingerprint Preprocessing JSON Path: `$.sha1_fingerprint`

Triggers

Name	Description	Expression	Severity	Dependencies and additional info
Cert: SSL certificate is invalid	SSL certificate has expired or it is issued for another domain.	`find(/Website certificate by Zabbix agent 2/cert.validation,,"like","invalid")=1`	High
Cert: SSL certificate expires soon	The SSL certificate should be updated or it will become untrusted.	`(last(/Website certificate by Zabbix agent 2/cert.not_after) - now()) / 86400 < {$CERT.EXPIRY.WARN}`	Warning	Depends on: Cert: SSL certificate is invalid
Cert: Fingerprint has changed	The SSL certificate fingerprint has changed. If you did not update the certificate, it may mean your certificate has been hacked. Acknowledge to close the problem manually. There could be multiple valid certificates on some installations. In this case, the trigger will have a false positive. You can ignore it or disable the trigger.	`last(/Website certificate by Zabbix agent 2/cert.sha1_fingerprint) <> last(/Website certificate by Zabbix agent 2/cert.sha1_fingerprint,#2)`	Info	Manual close: Yes

Feedback

Please report any issues with the template at https://support.zabbix.com

You can also provide feedback, discuss the template, or ask for help at ZABBIX forums

This template is for Zabbix version: 5.4

Also available for: 7.0 6.4 6.2 6.0 5.0

Source: https://git.zabbix.com/projects/ZBX/repos/zabbix/browse/templates/app/certificate_agent2?at=release/5.4

Website certificate by Zabbix agent 2

Overview

For Zabbix version: 5.4 and higher
The template to monitor TLS/SSL certificate on the website by Zabbix agent 2 that works without any external scripts. Zabbix agent 2 with the WebCertificate plugin requests certificate using the web.certificate.get key and returns JSON with certificate attributes.

Setup

See Zabbix template operation for basic instructions.

1. Setup and configure zabbix-agent2 with the WebCertificate plugin.

2. Test availability: zabbix_get -s <zabbix_agent_addr> -k web.certificate.get[<website_DNS_name>]

3. Create a host for the TLS/SSL certificate with Zabbix agent interface.

4. Link the template to the host.

5. Customize the value of {$CERT.WEBSITE.HOSTNAME} macro.

Zabbix configuration

No specific Zabbix configuration is required.

Macros used

Name	Description	Default
{$CERT.EXPIRY.WARN}	Number of days until the certificate expires.	`7`
{$CERT.WEBSITE.HOSTNAME}	The website DNS name for the connection.	`<Put DNS name>`
{$CERT.WEBSITE.IP}	The website IP address for the connection.	``
{$CERT.WEBSITE.PORT}	The TLS/SSL port number of the website.	`443`

Template links

There are no template links in this template.

Discovery rules

Items collected

Group	Name	Description	Type	Key and additional info
General	Cert: Validation result	The certificate validation result. Possible values: valid/invalid/valid-but-self-signed	DEPENDENT	cert.validation Preprocessing: - JSONPATH: `$.result.value`
General	Cert: Last validation status	Last check result message.	DEPENDENT	cert.message Preprocessing: - JSONPATH: `$.result.message`
General	Cert: Version	The version of the encoded certificate.	DEPENDENT	cert.version Preprocessing: - JSONPATH: `$.x509.version`
General	Cert: Serial number	The serial number is a positive integer assigned by the CA to each certificate. It is unique for each certificate issued by a given CA. Non-conforming CAs may issue certificates with serial numbers that are negative or zero.	DEPENDENT	cert.serial_number Preprocessing: - JSONPATH: `$.x509.serial_number`
General	Cert: Signature algorithm	The algorithm identifier for the algorithm used by the CA to sign the certificate.	DEPENDENT	cert.signature_algorithm Preprocessing: - JSONPATH: `$.x509.signature_algorithm`
General	Cert: Issuer	The field identifies the entity that has signed and issued the certificate.	DEPENDENT	cert.issuer Preprocessing: - JSONPATH: `$.x509.issuer`
General	Cert: Valid from	The date on which the certificate validity period begins.	DEPENDENT	cert.not_before Preprocessing: - JSONPATH: `$.x509.not_before.timestamp`
General	Cert: Expires on	The date on which the certificate validity period ends.	DEPENDENT	cert.not_after Preprocessing: - JSONPATH: `$.x509.not_after.timestamp`
General	Cert: Subject	The field identifies the entity associated with the public key stored in the subject public key field.	DEPENDENT	cert.subject Preprocessing: - JSONPATH: `$.x509.subject`
General	Cert: Subject alternative name	The subject alternative name extension allows identities to be bound to the subject of the certificate. These identities may be included in addition to or in place of the identity in the subject field of the certificate. Defined options include an Internet electronic mail address, a DNS name, an IP address, and a Uniform Resource Identifier (URI).	DEPENDENT	cert.alternative_names Preprocessing: - JSONPATH: `$.x509.alternative_names`
General	Cert: Public key algorithm	The digital signature algorithm is used to verify the signature of a certificate.	DEPENDENT	cert.public_key_algorithm Preprocessing: - JSONPATH: `$.x509.public_key_algorithm`
General	Cert: Fingerprint	The Certificate Signature (SHA1 Fingerprint or Thumbprint) is the hash of the entire certificate in DER form.	DEPENDENT	cert.sha1_fingerprint Preprocessing: - JSONPATH: `$.sha1_fingerprint`
Zabbix_raw_items	Cert: Get	Returns the JSON with attributes of a certificate of the requested site.	ZABBIX_PASSIVE	web.certificate.get[{$CERT.WEBSITE.HOSTNAME},{$CERT.WEBSITE.PORT},{$CERT.WEBSITE.IP}] Preprocessing: - DISCARD_UNCHANGED_HEARTBEAT: `6h`

Triggers

Name Description Expression Severity Dependencies and additional info

Cert: SSL certificate is invalid

Name	Description	Expression	Severity	Dependencies and additional info
Cert: SSL certificate is invalid	SSL certificate has expired or it is issued for another domain.	`find(/Website certificate by Zabbix agent 2/cert.validation,,"like","invalid")=1`	HIGH
Cert: SSL certificate expires soon (less than {$CERT.EXPIRY.WARN} days)	The SSL certificate should be updated or it will become untrusted.	`(last(/Website certificate by Zabbix agent 2/cert.not_after) - now()) / 86400 < {$CERT.EXPIRY.WARN}`	WARNING	Depends on: - Cert: SSL certificate is invalid
Cert: Fingerprint has changed (new version: {ITEM.VALUE})	The SSL certificate fingerprint has changed. If you did not update the certificate, it may mean your certificate has been hacked. Ack to close. There could be multiple valid certificates on some installations. In this case, the trigger will have a false positive. You can ignore it or disable the trigger.	`last(/Website certificate by Zabbix agent 2/cert.sha1_fingerprint) <> last(/Website certificate by Zabbix agent 2/cert.sha1_fingerprint,#2)`	INFO	Manual close: YES

SSL certificate has expired or it is issued for another domain.

find(/Website certificate by Zabbix agent 2/cert.validation,,"like","invalid")=1

HIGH

Cert: SSL certificate expires soon (less than {$CERT.EXPIRY.WARN} days)

The SSL certificate should be updated or it will become untrusted.

(last(/Website certificate by Zabbix agent 2/cert.not_after) - now()) / 86400 < {$CERT.EXPIRY.WARN}

WARNING

Depends on:

- Cert: SSL certificate is invalid

Cert: Fingerprint has changed (new version: {ITEM.VALUE})

The SSL certificate fingerprint has changed. If you did not update the certificate, it may mean your certificate has been hacked. Ack to close.

There could be multiple valid certificates on some installations. In this case, the trigger will have a false positive. You can ignore it or disable the trigger.

last(/Website certificate by Zabbix agent 2/cert.sha1_fingerprint) <> last(/Website certificate by Zabbix agent 2/cert.sha1_fingerprint,#2)

INFO

Manual close: YES

Feedback

Please report any issues with the template at https://support.zabbix.com

You can also provide a feedback, discuss the template or ask for help with it at ZABBIX forums.

This template is for Zabbix version: 5.0

Also available for: 7.0 6.4 6.2 6.0 5.4

Source: https://git.zabbix.com/projects/ZBX/repos/zabbix/browse/templates/app/certificate_agent2?at=release/5.0

Template App Website certificate by Zabbix agent 2

Overview

For Zabbix version: 5.0 and higher
The template to monitor TLS/SSL certificate on the website by Zabbix agent 2 that works without any external scripts. Zabbix agent 2 with the WebCertificate plugin requests certificate using the web.certificate.get key and returns JSON with certificate attributes.

Setup

See Zabbix template operation for basic instructions.

1. Setup and configure zabbix-agent2 with the WebCertificate plugin.

2. Test availability: zabbix_get -s <zabbix_agent_addr> -k web.certificate.get[<website_DNS_name>]

3. Create a host for the TLS/SSL certificate with Zabbix agent interface.

4. Link the template to the host.

5. Customize the value of {$CERT.WEBSITE.HOSTNAME} macro.

Zabbix configuration

No specific Zabbix configuration is required.

Macros used

Name	Description	Default
{$CERT.EXPIRY.WARN}	Number of days until the certificate expires.	`7`
{$CERT.WEBSITE.HOSTNAME}	The website DNS name for the connection.	`<Put DNS name>`
{$CERT.WEBSITE.IP}	The website IP address for the connection.	``
{$CERT.WEBSITE.PORT}	The TLS/SSL port number of the website.	`443`

Template links

There are no template links in this template.

Discovery rules

Items collected

Group	Name	Description	Type	Key and additional info
General	Cert: Validation result	The certificate validation result. Possible values: valid/invalid/valid-but-self-signed	DEPENDENT	cert.validation Preprocessing: - JSONPATH: `$.result.value`
General	Cert: Last validation status	Last check result message.	DEPENDENT	cert.message Preprocessing: - JSONPATH: `$.result.message`
General	Cert: Version	The version of the encoded certificate.	DEPENDENT	cert.version Preprocessing: - JSONPATH: `$.x509.version`
General	Cert: Serial number	The serial number is a positive integer assigned by the CA to each certificate. It is unique for each certificate issued by a given CA. Non-conforming CAs may issue certificates with serial numbers that are negative or zero.	DEPENDENT	cert.serial_number Preprocessing: - JSONPATH: `$.x509.serial_number`
General	Cert: Signature algorithm	The algorithm identifier for the algorithm used by the CA to sign the certificate.	DEPENDENT	cert.signature_algorithm Preprocessing: - JSONPATH: `$.x509.signature_algorithm`
General	Cert: Issuer	The field identifies the entity that has signed and issued the certificate.	DEPENDENT	cert.issuer Preprocessing: - JSONPATH: `$.x509.issuer`
General	Cert: Valid from	The date on which the certificate validity period begins.	DEPENDENT	cert.not_before Preprocessing: - JSONPATH: `$.x509.not_before.timestamp`
General	Cert: Expires on	The date on which the certificate validity period ends.	DEPENDENT	cert.not_after Preprocessing: - JSONPATH: `$.x509.not_after.timestamp`
General	Cert: Subject	The field identifies the entity associated with the public key stored in the subject public key field.	DEPENDENT	cert.subject Preprocessing: - JSONPATH: `$.x509.subject`
General	Cert: Subject alternative name	The subject alternative name extension allows identities to be bound to the subject of the certificate. These identities may be included in addition to or in place of the identity in the subject field of the certificate. Defined options include an Internet electronic mail address, a DNS name, an IP address, and a Uniform Resource Identifier (URI).	DEPENDENT	cert.alternative_names Preprocessing: - JSONPATH: `$.x509.alternative_names`
General	Cert: Public key algorithm	The digital signature algorithm is used to verify the signature of a certificate.	DEPENDENT	cert.public_key_algorithm Preprocessing: - JSONPATH: `$.x509.public_key_algorithm`
General	Cert: Fingerprint	The Certificate Signature (SHA1 Fingerprint or Thumbprint) is the hash of the entire certificate in DER form.	DEPENDENT	cert.sha1_fingerprint Preprocessing: - JSONPATH: `$.sha1_fingerprint`
Zabbix_raw_items	Cert: Get	Returns the JSON with attributes of a certificate of the requested site.	ZABBIX_PASSIVE	web.certificate.get[{$CERT.WEBSITE.HOSTNAME},{$CERT.WEBSITE.PORT},{$CERT.WEBSITE.IP}] Preprocessing: - DISCARD_UNCHANGED_HEARTBEAT: `6h`

Triggers

Name Description Expression Severity Dependencies and additional info

Cert: SSL certificate is invalid

Name	Description	Expression	Severity	Dependencies and additional info
Cert: SSL certificate is invalid	SSL certificate has expired or it is issued for another domain.	`{TEMPLATE_NAME:cert.validation.str("invalid")} = 1`	HIGH
Cert: SSL certificate expires soon (less than {$CERT.EXPIRY.WARN} days)	The SSL certificate should be updated or it will become untrusted.	`({TEMPLATE_NAME:cert.not_after.last()} - {TEMPLATE_NAME:cert.not_after.now()}) / 86400 < {$CERT.EXPIRY.WARN}`	WARNING	Depends on: - Cert: SSL certificate is invalid
Cert: Fingerprint has changed (new version: {ITEM.VALUE})	The SSL certificate fingerprint has changed. If you did not update the certificate, it may mean your certificate has been hacked. Ack to close. There could be multiple valid certificates on some installations. In this case, the trigger will have a false positive. You can ignore it or disable the trigger.	`{TEMPLATE_NAME:cert.sha1_fingerprint.diff()}=1`	INFO	Manual close: YES

SSL certificate has expired or it is issued for another domain.

{TEMPLATE_NAME:cert.validation.str("invalid")} = 1

HIGH

Cert: SSL certificate expires soon (less than {$CERT.EXPIRY.WARN} days)

The SSL certificate should be updated or it will become untrusted.

({TEMPLATE_NAME:cert.not_after.last()} - {TEMPLATE_NAME:cert.not_after.now()}) / 86400 < {$CERT.EXPIRY.WARN}

WARNING

Depends on:

- Cert: SSL certificate is invalid

Cert: Fingerprint has changed (new version: {ITEM.VALUE})

The SSL certificate fingerprint has changed. If you did not update the certificate, it may mean your certificate has been hacked. Ack to close.

There could be multiple valid certificates on some installations. In this case, the trigger will have a false positive. You can ignore it or disable the trigger.

{TEMPLATE_NAME:cert.sha1_fingerprint.diff()}=1

INFO

Manual close: YES

Feedback

Please report any issues with the template at https://support.zabbix.com

You can also provide a feedback, discuss the template or ask for help with it at ZABBIX forums.

Link	Source	Compatibility	Type, Technology	Created Updated	Rating
Script to check validity and expiration of TLS/SSL certificate for given host, port and (optional) servername. github.com/selivan/https-ssl-cert-check-zabbix	GitHub 282		script shell	2016-06-23 4 m	Popular
SSL check LLD Main idea is monitoring several URL with SSL in one Zabbix host. Data for LLD provide JSON file.This is originally based on https://share.zabbix.com/cat-app/web-servers/ssl-certificates-check with modifications to the script and template.Added domain registration expiration check template_domain_registration_expiration_and_ssl_certificates_check_lld	GitHub Community Templates	5.0+
Web monitoring steps from Zabbix into an LLD to also monitor them for certificate expiration Allows you to turn web monitoring steps from Zabbix into an LLD to also monitor them for certificate expiration. It requires two PHP files, two UserParameters, an SQL user with SELECT permissions and this template to get up and running. github.com/albinbatman/zabbix-ssl-monitor-template	GitHub 7		Template PHP	2020-08-29 1 y
Zabbix template check ssl with python script github.com/cavazquez/zabbix_template_ssl	GitHub 3		Templates, Scripts Python	2017-04-17 2 y
zabbix ssl certificates checking github.com/jjjbushjjj/zabbix-cert-check	GitHub 3		Python	2016-12-06 4 y
Simple scripts for monitoring state of ssl certificates and http codes via zabbix. github.com/tarwirdur/zabbix-https-checker	GitHub 3		Templates, Scripts Bash	2018-05-31 2 y
Discover and monitor SSL certificates in Zabbix Scripts, Zabbix userparameters, and Zabbix templates for monitoring SSL certificate expiration from Zabbix. github.com/nbarnum/zabbix-ssl-check	GitHub 1		Templates, Scripts Python	2017-10-30 2 y
Check SSL certificate for expiration Script to check ssl github.com/moobay9/zabbix-ssl-certificate-expire-check [cn]	GitHub		Templates, Scripts Bash	2015-08-07 9 y

Get Zabbix Cloud today

Watch Zabbix demo video

Get Zabbix Cloud today

Get Zabbix Cloud today

Get Zabbix Cloud today

Zabbix + SSL

SSL

Available solutions

Website certificate by Zabbix agent 2

Overview

Requirements

Tested versions

Configuration

Setup

Macros used

Items

Triggers

Feedback

Website certificate by Zabbix agent 2

Overview

Requirements

Tested versions

Configuration

Setup

Macros used

Items

Triggers

Feedback

Website certificate by Zabbix agent 2

Overview

Setup

Zabbix configuration

Macros used

Template links

Discovery rules

Items collected

Triggers

Feedback

Website certificate by Zabbix agent 2

Overview

Requirements

Tested versions

Configuration

Setup

Macros used

Items

Triggers

Feedback

Website certificate by Zabbix agent 2

Overview

Setup

Zabbix configuration

Macros used

Template links

Discovery rules

Items collected

Triggers

Feedback

Template App Website certificate by Zabbix agent 2

Overview

Setup

Zabbix configuration

Macros used

Template links

Discovery rules

Items collected

Triggers

Feedback

Articles and documentation

Request custom integration

Propose your integration