check_cert_signing_algorithm_secure

Project Notes

This check connects to a specified host:port with OpenSSL to determine the signing algorithm used on the server certificate. If the signing algorithm is on your specified list of "untrusted" algorithms the check will return WARNING/CRITICAL, otherwise it will return OK.

Requires OpenSSL on the system.

Tested on NagiosXI but cannot see why it would not support any other versions.

Commands/Services you might use:
define command {
command_name CWSI_check_cert_signing_algorithm_secure
command_line /usr/local/uptime/nagios/resources/scripts/CWSI_check_cert_signing_algorithm_secure.php -H $HOSTADDRESS$ -p $ARG1$ -u $ARG2$ -f $ARG3$
}

define service {
name CWSI_check_cert_signing_algorithm_secure_service
service_description CWSI_check_cert_signing_algorithm_secure_service
check_command CWSI_check_cert_signing_algorithm_secure!443!md5WithRSAEncryption,sha1WithRSAEncryption!WARNING!!!!!
}

Full help output from the check -
CWSI_check_cert_signing_algorithm_secure.php - v1.0.0

This plugin checks that the SSL certificate presented by a host is signed with a secure algorithm

Usage: CWSI_check_cert_signing_algorithm_secure.php -h | -H <host_address> -p <port> -u <algorithm_list> -f <failure_code>
NOTE: -H, -p, -u, -f are all required

Options:
-h
Print this help and usage message
-H
Host to query for certificate
-p
Port on the host to query
-u
Comma separated list of untrusted signature algorithms that should cause a failure of this check, eg. md5WithRSAEncryption,sha1WithRSAEncryption
-f
The code to be returned if an untrusted algorithm is detected, must be WARNING or CRITICAL

This plugin will use the openssl service to get the expiration date for the domain name.
Example:
$./CWSI_check_cert_signing_algorithm_secure.php -H www.google.com -p 443 -u md5WithRSAEncryption,sha1WithRSAEncryption -f CRITICAL