Is there a way to monitor expired certificates from a keystore

Hello community

I would like to monitor keystores as example cacert or osp.jks
With keytool i could export and write the certificate informations from an expiring certificate into a file.
Now I would like to pass these information to prometheus.

Does exist a keystore exporter or has someone an idea how I could solve it?

Thanks in advance for your help.

Typially you would export certificate expiry as the unix timestamp gauge. This is similar to metrics like process_start_time_seconds

process_start_time_seconds{instance="foo:9090",job="prometheus"} 1649251947.81

This is also how the blackbox_exporter exposes certificate expiry for https sites.

Hi SuperQ

How can I export from a keystore a specific certificate in unix timestamp?

I tried it with a script such this…


keystore=/opt/common/jre/bin/keytool -list -v -keystore /opt/osp/osp.jks -storepass changeit > /import/swdepot/tmp/tmp_$(hostname).txt
echo -n "probe_ssl_earliest_cert_expiry ">/import/tmp/cert_expiration_$(hostname).prom;cat tmp_$(hostname).txt | grep “Alias name: osp” --after=8 | grep -e “Alias name: osp” -e until | sed “s/until:\ /\n/g” | tail -n 1 >>/import/swdepot/tmp/cert_expiration_$(hostname).prom

The content of the osp.jks file looks like this:

Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: osp
Creation date: Apr 14, 2020
Entry type: PrivateKeyEntry
Certificate chain length: 1
Owner: CN=
Issuer: CN=
Serial number: 2ff28f2b
Valid from: Tue Apr 14 14:16:43 CEST 2020 until: Thu Apr 14 14:16:43 CEST 2022

My Idea was to grabb this information, but prometheus shoud be able to handle it.
Apr 14 14:16:43 CEST 2022

Another question is, how to convert this infors into an unix timestamp?