telegraf/plugins/inputs/x509_cert/README.md

# x509 Certificate Input Plugin

This plugin provides information about X509 certificate accessible via local
file, tcp, udp, https or smtp protocol.

When using a UDP address as a certificate source, the server must support
[DTLS](https://en.wikipedia.org/wiki/Datagram_Transport_Layer_Security).

## Global configuration options <!-- @/docs/includes/plugin_config.md -->

In addition to the plugin-specific configuration settings, plugins support
additional global and plugin configuration settings. These settings are used to
modify metrics, tags, and field or create aliases and configure ordering, etc.
See the [CONFIGURATION.md][CONFIGURATION.md] for more details.

[CONFIGURATION.md]: ../../../docs/CONFIGURATION.md#plugins

## Configuration

```toml @sample.conf
# Reads metrics from a SSL certificate
[[inputs.x509_cert]]
  ## List certificate sources, support wildcard expands for files
  ## Prefix your entry with 'file://' if you intend to use relative paths
  sources = ["tcp://example.org:443", "https://influxdata.com:443",
            "smtp://mail.localhost:25", "udp://127.0.0.1:4433",
            "/etc/ssl/certs/ssl-cert-snakeoil.pem",
            "/etc/mycerts/*.mydomain.org.pem", "file:///path/to/*.pem",
            "jks:///etc/mycerts/keystore.jks",
            "pkcs12:///etc/mycerts/keystore.p12"]

  ## Timeout for SSL connection
  # timeout = "5s"

  ## Pass a different name into the TLS request (Server Name Indication).
  ## This is synonymous with tls_server_name, and only one of the two
  ## options may be specified at one time.
  ##   example: server_name = "myhost.example.org"
  # server_name = "myhost.example.org"

  ## Only output the leaf certificates and omit the root ones.
  # exclude_root_certs = false

  ## Pad certificate serial number with zeroes to 128-bits.
  # pad_serial_with_zeroes = false

  ## Password to be used with PKCS#12 or JKS files
  # password = ""

  ## Optional TLS Config
  # tls_ca = "/etc/telegraf/ca.pem"
  # tls_cert = "/etc/telegraf/cert.pem"
  # tls_key = "/etc/telegraf/key.pem"
  # tls_server_name = "myhost.example.org"

  ## Set the proxy URL
  # use_proxy = true
  # proxy_url = "http://localhost:8888"
```

## Metrics

- x509_cert
  - tags:
    - type   - "leaf", "intermediate" or "root" classification of certificate
    - source - source of the certificate
    - organization
    - organizational_unit
    - country
    - province
    - locality
    - verification
    - serial_number
    - signature_algorithm
    - public_key_algorithm
    - issuer_common_name
    - issuer_serial_number
    - san
    - ocsp_stapled
    - ocsp_status (when ocsp_stapled=yes)
    - ocsp_verified (when ocsp_stapled=yes)
  - fields:
    - verification_code (int)
    - verification_error (string)
    - expiry (int, seconds) - Time when the certificate will expire, in seconds
      since the Unix epoch. `SELECT (expiry / 60 / 60 / 24) as "expiry_in_days"`
    - age (int, seconds)
    - startdate (int, seconds)
    - enddate (int, seconds)
    - ocsp_status_code (int)
    - ocsp_next_update (int, seconds)
    - ocsp_produced_at (int, seconds)
    - ocsp_this_update (int, seconds)

## Example Output

```text
x509_cert,common_name=ubuntu,ocsp_stapled=no,source=/etc/ssl/certs/ssl-cert-snakeoil.pem,verification=valid age=7693222i,enddate=1871249033i,expiry=307666777i,startdate=1555889033i,verification_code=0i 1563582256000000000
x509_cert,common_name=www.example.org,country=US,locality=Los\ Angeles,organization=Internet\ Corporation\ for\ Assigned\ Names\ and\ Numbers,organizational_unit=Technology,province=California,ocsp_stapled=no,source=https://example.org:443,verification=invalid age=20219055i,enddate=1606910400i,expiry=43328144i,startdate=1543363200i,verification_code=1i,verification_error="x509: certificate signed by unknown authority" 1563582256000000000
x509_cert,common_name=DigiCert\ SHA2\ Secure\ Server\ CA,country=US,organization=DigiCert\ Inc,ocsp_stapled=no,source=https://example.org:443,verification=valid age=200838255i,enddate=1678276800i,expiry=114694544i,startdate=1362744000i,verification_code=0i 1563582256000000000
x509_cert,common_name=DigiCert\ Global\ Root\ CA,country=US,organization=DigiCert\ Inc,organizational_unit=www.digicert.com,ocsp_stapled=yes,ocsp_status=good,ocsp_verified=yes,source=https://example.org:443,verification=valid age=400465455i,enddate=1952035200i,expiry=388452944i,ocsp_next_update=1676714398i,ocsp_produced_at=1676112480i,ocsp_status_code=0i,ocsp_this_update=1676109600i,startdate=1163116800i,verification_code=0i 1563582256000000000
```
fix(readmes): standarize first line of readmes (#7973) 2020-08-12 04:10:41 +08:00			`# x509 Certificate Input Plugin`
Adding x509_cert input plugin (#3768) 2018-07-31 03:12:45 +08:00
			`This plugin provides information about X509 certificate accessible via local`
feat(inputs.x509_cert): add smtp protocol (#11271) Co-authored-by: dreiekk <dreiekk@users.noreply.github.com> 2022-06-16 00:46:26 +08:00			`file, tcp, udp, https or smtp protocol.`
Adding x509_cert input plugin (#3768) 2018-07-31 03:12:45 +08:00
chore: Fix readme linter errors for input plugins M-Z (#11274) 2022-06-09 05:22:56 +08:00			`When using a UDP address as a certificate source, the server must support`
			`[DTLS](https://en.wikipedia.org/wiki/Datagram_Transport_Layer_Security).`
Prevent x509_cert from hanging on UDP connection (#9323) 2021-07-23 08:44:36 +08:00
docs: add global configuration header (#12107) 2022-10-27 03:58:36 +08:00			`## Global configuration options <!-- @/docs/includes/plugin_config.md -->`

			`In addition to the plugin-specific configuration settings, plugins support`
			`additional global and plugin configuration settings. These settings are used to`
			`modify metrics, tags, and field or create aliases and configure ordering, etc.`
			`See the [CONFIGURATION.md][CONFIGURATION.md] for more details.`

feat(tools/readme_linter): Check for global configuration section (#12426) 2023-01-12 23:55:21 +08:00			`[CONFIGURATION.md]: ../../../docs/CONFIGURATION.md#plugins`
docs: add global configuration header (#12107) 2022-10-27 03:58:36 +08:00
chore: clean up markdown lint errors input plugins w to z (#10166) 2021-11-25 02:50:22 +08:00			`## Configuration`
Adding x509_cert input plugin (#3768) 2018-07-31 03:12:45 +08:00
chore: Embed sample configurations into README for inputs (#11136) 2022-05-24 21:49:47 +08:00			```toml @sample.conf
Adding x509_cert input plugin (#3768) 2018-07-31 03:12:45 +08:00			`# Reads metrics from a SSL certificate`
			`[[inputs.x509_cert]]`
Wildcard support for x509_cert files (#6952) * Accept standard unix glob matching rules * comply with indentation * update readme * move globing expand and url parsing into Init() * chore: rebase branch on upstream master * rename refreshFilePaths to expandFilePaths * expandFilePaths handles '/path/to/.pem' and 'files:///path/to/.pem' * update sample config * fix: recompile files globing pattern at every gather tic * add var globFilePathsToUrls to stack files path * add var globpaths to stack compiled globpath * rework sourcesToURLs to compile files path and stack them * rename expandFilePaths to expandFilePathsToUrls * rework expandFilePathsToUrls to only match compiled globpath * rework the `Gather` ticker to match globpath at each call * fix: comply with requested changes * add specifics regarding relative paths in sample config * add logger and use it in expandFilePathsToUrls() * precompile glob for `files://`, `/` and `://` * fix: update README to match last changes * fix: comply with last requested changes * rename expandFilePathsToUrls() to collectCertURLs() * collectCertURLs() now returns []url.URL to avoid extra field globFilePathsToUrls in structure update the Gather() ticker accordingly * fix(windows): do not try to compile glopath for windows path as it's not supposed to be supported by the OS * fix(ci): apply go fmt * fix(ci): empty-lines/import-shadowing Co-authored-by: Anthony LE BERRE <aleberre@vente-privee.com> 2021-03-24 05:31:15 +08:00			`## List certificate sources, support wildcard expands for files`
			`## Prefix your entry with 'file://' if you intend to use relative paths`
Prevent x509_cert from hanging on UDP connection (#9323) 2021-07-23 08:44:36 +08:00			`sources = ["tcp://example.org:443", "https://influxdata.com:443",`
feat(inputs.x509_cert): add smtp protocol (#11271) Co-authored-by: dreiekk <dreiekk@users.noreply.github.com> 2022-06-16 00:46:26 +08:00			`"smtp://mail.localhost:25", "udp://127.0.0.1:4433",`
			`"/etc/ssl/certs/ssl-cert-snakeoil.pem",`
feat(inputs.x509_cert): Add support for JKS and PKCS#12 keystores (#16508) Signed-off-by: Paulo Dias <paulodias.gm@gmail.com> 2025-03-10 15:11:57 +08:00			`"/etc/mycerts/.mydomain.org.pem", "file:///path/to/.pem",`
			`"jks:///etc/mycerts/keystore.jks",`
			`"pkcs12:///etc/mycerts/keystore.p12"]`
Adding x509_cert input plugin (#3768) 2018-07-31 03:12:45 +08:00
			`## Timeout for SSL connection`
Update changelog 2018-07-31 03:14:55 +08:00			`# timeout = "5s"`
Adding x509_cert input plugin (#3768) 2018-07-31 03:12:45 +08:00
common/tls: Allow specifying SNI hostnames (#7897) * tls_config: Allow specifying SNI hostnames Add a new configration field `tls_server_name` that allows specifying the server name that'll be sent in the ClientHello when telegraf makes a request to TLS servers. This allows checking against load balancers responding to specific hostnames that otherwise wouldn't resolve to their addresses. Add the setting to the documentation of common TLS options, as well as to the http_response plugin. Fixes #7598. * Adjust the x509_cert to allow usage of tls_server_name This plugin has been using ServerName previously, and will have to deal with the new setting, too: Extract the server-name choosing into a method & add a test to ensure we choose the right value (and error under the right circumstances). Also document that the two settings are mutually exclusive. * Improve documentation on what we try to accomplish in the nil return Also get rid of the TODO, as I am fairly certain this behavior is the correct one. * Remove unused struct field in tests 2020-12-24 03:39:43 +08:00			`## Pass a different name into the TLS request (Server Name Indication).`
			`## This is synonymous with tls_server_name, and only one of the two`
			`## options may be specified at one time.`
Update changelog 2020-01-22 09:11:50 +08:00			`## example: server_name = "myhost.example.org"`
			`# server_name = "myhost.example.org"`

docs(inputs.x509_cert): Add documentation for 'exclude_root_certs' option. (#12249) 2022-11-16 21:37:13 +08:00			`## Only output the leaf certificates and omit the root ones.`
			`# exclude_root_certs = false`

fix(inputs.x509_cert): Add config to left-pad serial number to 128-bits (#16447) 2025-02-04 23:57:13 +08:00			`## Pad certificate serial number with zeroes to 128-bits.`
			`# pad_serial_with_zeroes = false`

feat(inputs.x509_cert): Add support for JKS and PKCS#12 keystores (#16508) Signed-off-by: Paulo Dias <paulodias.gm@gmail.com> 2025-03-10 15:11:57 +08:00			`## Password to be used with PKCS#12 or JKS files`
			`# password = ""`

Adding x509_cert input plugin (#3768) 2018-07-31 03:12:45 +08:00			`## Optional TLS Config`
			`# tls_ca = "/etc/telegraf/ca.pem"`
			`# tls_cert = "/etc/telegraf/cert.pem"`
			`# tls_key = "/etc/telegraf/key.pem"`
common/tls: Allow specifying SNI hostnames (#7897) * tls_config: Allow specifying SNI hostnames Add a new configration field `tls_server_name` that allows specifying the server name that'll be sent in the ClientHello when telegraf makes a request to TLS servers. This allows checking against load balancers responding to specific hostnames that otherwise wouldn't resolve to their addresses. Add the setting to the documentation of common TLS options, as well as to the http_response plugin. Fixes #7598. * Adjust the x509_cert to allow usage of tls_server_name This plugin has been using ServerName previously, and will have to deal with the new setting, too: Extract the server-name choosing into a method & add a test to ensure we choose the right value (and error under the right circumstances). Also document that the two settings are mutually exclusive. * Improve documentation on what we try to accomplish in the nil return Also get rid of the TODO, as I am fairly certain this behavior is the correct one. * Remove unused struct field in tests 2020-12-24 03:39:43 +08:00			`# tls_server_name = "myhost.example.org"`
feat(x509_cert): add proxy support (#9319) 2022-06-22 04:50:06 +08:00
			`## Set the proxy URL`
			`# use_proxy = true`
			`# proxy_url = "http://localhost:8888"`
Adding x509_cert input plugin (#3768) 2018-07-31 03:12:45 +08:00			```

chore: clean up markdown lint errors input plugins w to z (#10166) 2021-11-25 02:50:22 +08:00			`## Metrics`
Adding x509_cert input plugin (#3768) 2018-07-31 03:12:45 +08:00
Add new DN tags to x509_cert readme 2018-10-19 14:34:59 +08:00			`- x509_cert`
Adding x509_cert input plugin (#3768) 2018-07-31 03:12:45 +08:00			`- tags:`
feat(inputs.x509_cert): Add tag for certificate type-classification (#12656) 2023-02-22 20:39:15 +08:00			`- type - "leaf", "intermediate" or "root" classification of certificate`
Add new DN tags to x509_cert readme 2018-10-19 14:34:59 +08:00			`- source - source of the certificate`
			`- organization`
			`- organizational_unit`
			`- country`
			`- province`
			`- locality`
Add certificate verification status to x509_cert input (#6143) 2019-07-23 07:10:40 +08:00			`- verification`
Add additional tags for x509 Input Plugin (#6686) 2019-11-27 02:04:55 +08:00			`- serial_number`
			`- signature_algorithm`
			`- public_key_algorithm`
			`- issuer_common_name`
			`- issuer_serial_number`
			`- san`
feat(inputs.x509_cert): Add OCSP stapling information for leaf certificates (#10550) (#12444) Co-authored-by: Josh Powers <powersj@fastmail.com> 2023-02-17 16:47:54 +08:00			`- ocsp_stapled`
			`- ocsp_status (when ocsp_stapled=yes)`
			`- ocsp_verified (when ocsp_stapled=yes)`
Adding x509_cert input plugin (#3768) 2018-07-31 03:12:45 +08:00			`- fields:`
Add certificate verification status to x509_cert input (#6143) 2019-07-23 07:10:40 +08:00			`- verification_code (int)`
			`- verification_error (string)`
chore(inputs): Fix line-length in READMEs for `t` to `z` (#16485) 2025-02-07 04:11:18 +08:00			`- expiry (int, seconds) - Time when the certificate will expire, in seconds`
			since the Unix epoch. `SELECT (expiry / 60 / 60 / 24) as "expiry_in_days"`
Add new DN tags to x509_cert readme 2018-10-19 14:34:59 +08:00			`- age (int, seconds)`
			`- startdate (int, seconds)`
			`- enddate (int, seconds)`
feat(inputs.x509_cert): Add OCSP stapling information for leaf certificates (#10550) (#12444) Co-authored-by: Josh Powers <powersj@fastmail.com> 2023-02-17 16:47:54 +08:00			`- ocsp_status_code (int)`
			`- ocsp_next_update (int, seconds)`
			`- ocsp_produced_at (int, seconds)`
			`- ocsp_this_update (int, seconds)`
Adding x509_cert input plugin (#3768) 2018-07-31 03:12:45 +08:00
chore: Fix readme linter errors for input plugins M-Z (#11274) 2022-06-09 05:22:56 +08:00			`## Example Output`
Adding x509_cert input plugin (#3768) 2018-07-31 03:12:45 +08:00
chore: Update README.md (#12989) 2023-04-04 19:43:49 +08:00			```text
feat(inputs.x509_cert): Add OCSP stapling information for leaf certificates (#10550) (#12444) Co-authored-by: Josh Powers <powersj@fastmail.com> 2023-02-17 16:47:54 +08:00			`x509_cert,common_name=ubuntu,ocsp_stapled=no,source=/etc/ssl/certs/ssl-cert-snakeoil.pem,verification=valid age=7693222i,enddate=1871249033i,expiry=307666777i,startdate=1555889033i,verification_code=0i 1563582256000000000`
			`x509_cert,common_name=www.example.org,country=US,locality=Los\ Angeles,organization=Internet\ Corporation\ for\ Assigned\ Names\ and\ Numbers,organizational_unit=Technology,province=California,ocsp_stapled=no,source=https://example.org:443,verification=invalid age=20219055i,enddate=1606910400i,expiry=43328144i,startdate=1543363200i,verification_code=1i,verification_error="x509: certificate signed by unknown authority" 1563582256000000000`
			`x509_cert,common_name=DigiCert\ SHA2\ Secure\ Server\ CA,country=US,organization=DigiCert\ Inc,ocsp_stapled=no,source=https://example.org:443,verification=valid age=200838255i,enddate=1678276800i,expiry=114694544i,startdate=1362744000i,verification_code=0i 1563582256000000000`
			`x509_cert,common_name=DigiCert\ Global\ Root\ CA,country=US,organization=DigiCert\ Inc,organizational_unit=www.digicert.com,ocsp_stapled=yes,ocsp_status=good,ocsp_verified=yes,source=https://example.org:443,verification=valid age=400465455i,enddate=1952035200i,expiry=388452944i,ocsp_next_update=1676714398i,ocsp_produced_at=1676112480i,ocsp_status_code=0i,ocsp_this_update=1676109600i,startdate=1163116800i,verification_code=0i 1563582256000000000`
Adding x509_cert input plugin (#3768) 2018-07-31 03:12:45 +08:00			```