Parameters for SSL certificates based on issuer or total lifetime

We use two different kind of TLS certificates:

  1. Let’s encrypt with automated renewal process
  2. Certificates with longer lifetime and manual renewal

As the manual process requires some time, we need higher thresholds for the warning. Is there a way to configure 30/10 days for WARN/CRIT for Let’s encrypt and 60/30 days for other certificates without having to explicitly select hosts in the rule?

Maybe you can give the smallest collection of hosts a host label to base your rule on for change of state configuration. Example: ssl/alternative:yes

1 Like

maybe @r.sander’s data2label from Checkmk Exchange can even set the label for you, if you can detect which certificates are from let’s encrypt automatically :)?

Our SSL certificates extension sets service labels based on the issuer hash from the certificate. This way you can identify the Let’s Encrypt certs.


Thanks, that was what I searched for.