At Woovi, we need to manage many X.509 certificates that are not only related to site domains. We have certificates that enable mTLS connections, allow us to sign ISO 20022 XML messages, and provide some A1 and A3 certificates to emit electronic invoices (notas fiscais) and access certain Central Bank and government systems.
Current state of certificate expiration tools
Most certificate expiration tools are focused on renewing site domain certificates. My problem is just to check the expiration of X.509 without auto-renew, as the renewal process requires a real person verification.
x509-certificate-exporter + Grafana Dashboard
x509-certificate-exporter is a Prometheus exporter that can read X.509 certificates from many sources, like files, Kubernetes configs, and secrets.
Here is a basic deployment to watch files
apiVersion: apps/v1
kind: Deployment
metadata:
namespace: x509-certificate-exporter
name: x509-certificate-exporter
spec:
replicas: 1
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1
selector:
matchLabels:
app: x509-certificate-exporter
template:
metadata:
labels:
app: x509-certificate-exporter
spec:
containers:
- name: x509-certificate-exporter
image: enix/x509-certificate-exporter:latest
ports:
- containerPort: 9793
volumeMounts:
- name: certs
mountPath: /etc/certs
readOnly: true
args:
- --debug
- --watch-dir=/etc/certs
volumes:
- name: certs
configMap:
name: x509-certificates
We are going to use Kustomization to generate the configmaps from X.509 files.
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: x509-certificate-exporter
resources:
- deployment.yaml
configMapGenerator:
- name: x509-certificates
files:
- ./certs/cert-a.crt
- ./certs/cert-b.crt
Apply this kustomization like this kubectl apply -k /deployments/x509-certificate-exporter
Add this Grafana dashboard Certificates Expiration (X509 Certificate Exporter) and you are all set.
In Conclusion
Kubernetes, Prometheus, and Grafana are versatile tools that enable you to build a custom dashboard to solve common problems in many companies.
Set this up in your company and avoid having certificate expiration issues forever.
The next step would be to set up alerts to renew certificates before the expiration date.
What monitoring solutions are you using in your company?
Woovi
Woovi is a fintech platform revolutionizing how businesses and developers handle payments in Brazil. Built with a developer-first mindset, Woovi simplifies integration with instant payment methods like Pix, enabling companies to receive payments seamlessly and automate financial workflows.
If you want to work with us, we are hiring!
Top comments (0)