From 19cfe5fd81a98b9305cb74f7110d57b1bc56e957 Mon Sep 17 00:00:00 2001
From: Konrad Bucheli <konrad.bucheli@psi.ch>
Date: Tue, 12 Nov 2024 13:25:19 +0100
Subject: [PATCH] document SSL certificate expiration check

---
 .../configuration/monitoring/icinga2.md       | 36 +++++++++++++++++++
 1 file changed, 36 insertions(+)

diff --git a/admin-guide/configuration/monitoring/icinga2.md b/admin-guide/configuration/monitoring/icinga2.md
index 851f5994..a668ad5d 100644
--- a/admin-guide/configuration/monitoring/icinga2.md
+++ b/admin-guide/configuration/monitoring/icinga2.md
@@ -166,3 +166,39 @@ Note that you can reset this check after dealing with it by executing on the nod
 ```
 dmesg --clear
 ```
+
+## Extra Checks
+
+### TLS/SSL Certificate Expiration
+
+To monitor the expiration of one or more certificates you need to give the node in Hiera the additional server role `ssl-cert` (except for `role::jupyterserver`):
+
+```
+icinga2::additional_server_role:
+  - 'ssl-cert'
+```
+
+Then list what certificate files you want to have checked:
+
+```
+icinga2::service_check::customize:
+  'TLS/SSL Certificate Expiration':
+    ssl_cert_files:
+      - '/etc/xrdp/cert.pem'
+      - '/etc/httpd/ssl/node.crt'
+```
+
+Beside the file list you may set the warning time in days with the attribute `ssl_cert_warning` (`7` by default) and the critical time with the attribute `ssl_cert_critical` (3 by default).
+
+If you run your own PKI, you might also check a CA certificate for expiration with
+
+```
+icinga2::additional_server_role:
+  - 'ca-cert'
+
+icinga2::service_check::customize:
+  'CA Certificate Expiration':
+    ssl_cert_files:
+      - '/etc/my_pki/ca.pem'
+```
+Here the warning is below 180 days and below 30 days is critical by default.