Monitoring if the CA Cert Chain becomes invalid


I am wondering if any of you could help me with a monitoring issue that I am having.
We are using the x509 module and it’s nice for a visual overview and I also created the service check to alert if a SSL Certificate is nearing is end date.

But this only checks the SSL Certificate and not the whole chain. We had en issue where a part of the chain became invalid but couldn’t see any alerts from it. If I logged into the Web Gui and Checked the x509 module I could see it but to manually check this isn’t a viable option.

Do any of you know any way that I could get an alert if any part of the chain becomes invalid.

Any help would be appreciated.

Best regards / Jens

Have a look at - in it’s newest release that’s just a few days “old”, it’s now possible to not only check the certificate itself, but also all certificates within the chain.


Thank you Mario. Will look into that check.

Much appreciated.

Hello there!
Did the check do what you wanted it to?
If it did I would like to ask you to mark the answer as the “solution”.
That makes it easier for others to a) figure out the solution for their own problems and b) know which topics still need answering.
Thank you very much!


Sry, other work came between. Will test this new check and reply if if works for me.

Best regards / Jens

1 Like

Hi Mario, I am new to icinga2 and need to monitor few URLs for ssl cert expiry. If you could guide me how to use check-ssl_cert plugin, which file to add this in and with what parameters?