Monitor TLS With Datadog | Datadog

Monitor TLS with Datadog

Author Jordan Obey

Published: August 7, 2019

Transport Layer Security (TLS) is a cryptographic protocol commonly used to provide secure network communication between web servers and browsers. TLS has been the main communication security strategy since 2015, when its predecessor, Secure Sockets Layer (SSL), was declared insufficiently secure by RFC 7568. With Datadog’s new integration you can monitor the status of TLS certificates along with the rest of your web stack to ensure that your network communication remains private, reliable, and secure.

Alert on expiring TLS certificates

To establish a secure connection with a client (e.g., a web browser), the client and server must complete a series of steps (known as a “handshake”) to authenticate their identities and agree on a data encryption method. To facilitate these “handshakes”, applications refer to data stored in TLS certificates. If a certificate is expired or isn’t formatted properly, handshakes will fail and web servers and browsers won’t be able to communicate securely. This can lead to downtime, which hurts traffic and damages user trust.

With Datadog’s TLS integration, you can automatically get alerted whenever any TLS certificate is close to its expiration date, giving you enough time to renew the certificate(s) without any gaps in coverage.

Alerts notify you when your TLS certificates are about to expire

Keep tabs on all your TLS certificates

The Datadog Agent automatically runs checks on your TLS certificates, and displays their real-time status in an out-of-the-box dashboard. One type of status check helps ensure that TLS certificates are valid. If the Agent detects a validation error (e.g., an improperly formatted certificate or if the hostname listed on the certificate doesn’t match the hostname of the server it belongs to), the validation check will fail, prompting you to troubleshoot and review your TLS configuration.

You can also configure the Agent to track the expiration status of your TLS certificates. By default, the Agent will return a CRITICAL status if a certificate is within seven days of its expiration date, giving you enough time to renew it before your service experiences any downtime.

For further visibility, you can clone the TLS dashboard and add custom metrics from other parts of your environment, as shown below.

Get more out of your dashboard with customization

If your organization manages large numbers of TLS certificates—which may all run on different expiration schedules—you can create a top list to see which certificates are closest to expiration, so you don’t forget to renew any of them.

Top list that tells you which TLS certificates are near their expiration date

Include TLS in your web stack monitoring

With Datadog’s TLS integration, you can customize dashboards to include TLS status widgets alongside health and performance data from the various components of your web stack. If you are monitoring a MEAN stack, for instance, you can display the status of your TLS certificates alongside key MongoDB and ExpressJS metrics for a comprehensive overview of your web application infrastructure. This makes it easy to see if TLS certificates associated with your web application are invalid or about to expire.

Include TLS status checks to expand your view of your web stack

Monitor TLS and other web services with Datadog

Datadog is pleased to provide visibility into TLS along with more than 400 other technologies, including MongoDB, NGINX, and Apache. With our new integration, you’ll be able to monitor the status of your TLS certificates alongside all the other services in your web stack.

If you aren’t already using Datadog to monitor the health of your web stack, get started with a 14-day .