Open volhonsky opened 5 years ago
This would be a nice feature but I think it would be best to add after this issue is completed: https://github.com/golang/go/issues/16736
I don't use SystemCertPool in my realization because this method has error. You can use directly invoke syscall.CertOpenStore for opening system certificate storage in readonly mode. And i think i can fix golang/go#16736. Create new input plugin or extend existing - that is the question. How will be better? Can you give me advise and i will perform pull request?
Waiting on https://github.com/golang/go/issues/16736
Closing as there hasn't been any activity on https://github.com/influxdata/telegraf/pull/5374, if this is still a requested feature please comment or re-open thank you!
Extending x509_cert plugin would still be very usefull. Currently we use this PowerShell Script for monitoring local windows certificate store. It prints out necessary information in Prometheus format. Currently we use this script with one parameter for filtering output with a certain pattern inside Subject Name (Common Name), because often we only want to monitor the machine certifcate.
<#
.SYNOPSIS
Prints information about certificates from Windows certificate store.
.PARAMETER subjectCommonNameFilter
Common Name of Subject (Wildcards allowed)
.EXAMPLE
PS> .\windows_certificate_store.ps1 HOSTNAME_filter.domain
.EXAMPLE
PS> .\windows_certificate_store.ps1 HOSTNA*
#>
param ([string]$subjectCommonNameFilter)
<#
.SYNOPSIS
Extracts the common name (CN) from a certificate.
.PARAMETER entity
A string that looks like this: CN=XXX-2023, O=YY, C=AT
#>
function ExtractCommonName {
param ([string]$entity)
$entityParts = $entity -split ', '
foreach ($entityPart in $entityParts) {
if ($entityPart.StartsWith("CN=")) {
return $commonName=$entityPart.SubString(3)
}
}
return $null
}
<#
.SYNOPSIS
This commandlet breaks down the certificate's subject into the Common Name, Organizational Unit, Organization, Locality, State and Country
.DESCRIPTION
This commandlet breaks down the certificate's subject into the Common Name, Organizational Unit, Organization, Locality, State and Country
.PARAMETER Certificate
A X509Certificate2 instance
.EXAMPLE
Get-ChildItem "Cert:\LocalMachine\My" | Get-CertificateSubjectInfo
.INPUTS
Any X509Certificate2 certificate
.LINK
https://www.powershellgallery.com/packages/CertificatePS/1.5/Content/Get-CertificateSubjectInfo.ps1
#>
function Get-CertificateSubjectInfo {
[OutputType([string])]
[CmdletBinding()]
param(
[Parameter(Mandatory = $true, ValueFromPipeline = $true)]
[Security.Cryptography.X509Certificates.X509Certificate2]$Certificate
)
Process {
$hash=[ordered]@{
Subject=$Certificate.Subject
FriendlyName=$Certificate.FriendlyName
CommonName=$null
OrganizationalUnit=$null
Organization=$null
Locality=$null
State=$null
Country=$null
}
$Certificate.Subject -split ', ' |ForEach-Object {
switch ($_)
{
{$_ -like "CN=*"} {
$hash.CommonName=$_.SubString(3)
break
}
{$_ -like "OU=*"} {
$hash.OrganizationalUnit=$_.SubString(3)
break
}
{$_ -like "O=*"} {
$hash.Organization=$_.SubString(2)
break
}
{$_ -like "L=*"} {
$hash.Locality=$_.SubString(2)
break
}
{$_ -like "S=*"} {
$hash.State=$_.SubString(2)
break
}
{$_ -like "C=*"} {
$hash.Country=$_.SubString(2)
break
}
}
}
New-Object -TypeName psobject -Property $hash
}
}
# get certificates from Windows certificate store
$certs = Get-ChildItem -Path Cert:\LocalMachine\My
foreach ($cert in $certs) {
$certificateSubjectInfo = $cert | Get-CertificateSubjectInfo
if ($certificateSubjectInfo.CommonName -notlike $subjectCommonNameFilter) {
continue
}
$expiryDate = $cert.NotAfter
$secondsUntilExpiry = [Math]::Round(($expiryDate - (Get-Date)).TotalSeconds)
$issuerCommonName = ExtractCommonName($cert.Issuer)
$unixEpoch = Get-Date '1970-01-01'
$startdate = [Math]::Round(($cert.NotBefore - $unixEpoch).TotalSeconds)
$enddate = [Math]::Round(($cert.NotAfter - $unixEpoch).TotalSeconds)
$san = $cert.Extensions | Where-Object {$_.Oid.FriendlyName -eq "Subject Alternative Name"} | ForEach-Object {$_.Format(0)}
Write-Output "expiry{issuer_common_name=""$issuerCommonName"", common_name=""$($certificateSubjectInfo.CommonName)"", organization=""$($certificateSubjectInfo.Organization)"", organizational_unit=""$($certificateSubjectInfo.OrganizationalUnit)"", country=""$($certificateSubjectInfo.Country)"", province=""$($certificateSubjectInfo.State)"", locality=""$($certificateSubjectInfo.Locality)"", serial_number=""$($cert.SerialNumber)"", signature_algorithm=""$($cert.SignatureAlgorithm.FriendlyName)"", san=""$san""} $secondsUntilExpiry"
Write-Output "startdate{issuer_common_name=""$issuerCommonName"", common_name=""$($certificateSubjectInfo.CommonName)"", organization=""$($certificateSubjectInfo.Organization)"", organizational_unit=""$($certificateSubjectInfo.OrganizationalUnit)"", country=""$($certificateSubjectInfo.Country)"", province=""$($certificateSubjectInfo.State)"", locality=""$($certificateSubjectInfo.Locality)"", serial_number=""$($cert.SerialNumber)"", signature_algorithm=""$($cert.SignatureAlgorithm.FriendlyName)"", san=""$san""} $startdate"
Write-Output "enddate{issuer_common_name=""$issuerCommonName"", common_name=""$($certificateSubjectInfo.CommonName)"", organization=""$($certificateSubjectInfo.Organization)"", organizational_unit=""$($certificateSubjectInfo.OrganizationalUnit)"", country=""$($certificateSubjectInfo.Country)"", province=""$($certificateSubjectInfo.State)"", locality=""$($certificateSubjectInfo.Locality)"", serial_number=""$($cert.SerialNumber)"", signature_algorithm=""$($cert.SignatureAlgorithm.FriendlyName)"", san=""$san""} $enddate"
}
Feature Request
I think it is a good idea to fetch certificates data for monitoring from Windows Certificate store with telegraf.
Proposal:
Extends x509_cert plugin realization with something like what
sources = [ "LocalMachine/My","LocalMachine/Root",/etc/ssl/certs/ssl-cert-snakeoil.pem", "https://example.org:443"]
Or create new one (for example x509_win_store)
Current behavior:
Where is no plugins to monitor Windows Certificates store
Desired behavior:
Windows certificates store became monitored.
Use case: [Why is this important (helps with prioritizing requests)]
I think it will be very helpful for monitoring windows certificates expiration.
I have realization of with functionality. But i don't know how will be better: Insert this feature to existing x509_cert input plugin or create new one (for example x509_win_store).