Measures reported by AWSSSLTLSCertTest
AWS Certificate Manager (ACM) handles the complexity of creating and managing SSL/TLS certificates for your AWS based websites and applications. You can use certificates provided by ACM (ACM Certificates) or certificates that you import into ACM. ACM Certificates can secure multiple domain names and multiple names within a domain. You can also use ACM to create wildcard SSL certificates that can protect an unlimited number of subdomains.
If you are unable to access any web site/web application on the AWS cloud, you may want to check if the certificate attached to that web site/web application has expired, failed, or revoked. This check is made possible by the AWSSSLTLSCertTest test!
This test automatically discovers the certificates managed by the AWS Certificate Manager and reports the current status of each certificate. This way, expired, revoked, failed, and inactive certificates can be identified. Besides expired certificates, the test also leads you to certificates nearing expiry by reporting the number of days each certificate will remain valid. You can also use the detailed diagnostics of this test to know who issued such a certificate, when it was issued, the resources used by that certificate, and the domains included in it.
Outputs of the test : One set of results for certificate managed by the ACM.
First-level descriptor: AWS Region
Second-level descriptor: Certificate ID
The measures made by this test are as follows:
| Measurement |
Description |
Measurement Unit |
Interpretation |
| Cert_stats |
Indicates the current status of this certificate. |
|
The values that this measure can report and their corresponding numeric values are listed in the table below:
| Measure Values |
Numeric Values |
| Failed |
0 |
| Expired |
1 |
| Validation timed out |
2 |
| Inactive |
3 |
| Pending validation |
4 |
| Revoked |
5 |
| Issued |
6 |
If the status of a certificate is abnormal, then you can use the detailed diagnosis of this measure to know who issued an expired, when, which resources are managed by that certificate, and which domains are included in it. You can also use the detailed diagnosis to track the expiry of an issued certificate.
Note:
Typically, this measure will report the Measure Values listed in the table above to indicate the status of a certificate. In the graph of this measure however, the same will be indicated using the numeric equivalents only.
|
| Cert_expired |
Indicates the number of days by which this certificate will expire. |
Days |
A very low value for this measure indicates that the certificate is set to expire shortly. If If this measure reports the value 0, it implies that the certificate has already expired. You can then use the detailed diagnosis of the Cert_stats measure of this test to know who issued that certificate, when, and what is the certificate type (whether imported or not)
If the certificate that is about to expire is an imported certificate, then ACM will not manage the renewal process of that certificate. In this case, you will have to import a new third-party certificate to replace the expiring one.
On the other hand, if the certificate that is about to expire was provided by ACM, then ACM will try to automatically renew that certificate before expiry.
|
|