Managing certificate hell – the GLPI way

Published by on 2012-02-19 | Leave a response

I've been a irregular user and admin of a GLPI server at work - GLPI is an open source IT asset management software that enables you to automate lots of asset management work (also thanks to FusionInventory and its agents) while providing a UI that also non-Admins can work with - e.g. make your financial auditor.

While I really propone the use of HTTPS, managing the certificates is still a pain. I used to be guy deploying and managing the SSL certificates but I realized that things would go south if I was away or I had to give that to a collegue (which was the case...). It had also happened that I forgot to renew certificates early enough. - The solution I found won't fit a massive scale company but It does the job for our purpose:

I didn't want to continue the "yet another spreadsheet" idea without any usefuly warning before certificate expiration. There came the certificate inventory plugin into play. Once activated this will give you a "Certificates" tab under Plugins. This way you can enter your cert data, expiraton dates, issuing CA and - your can link a computer against the cert so you know where the certificate is deployed:

On the summary page you can sort them by expiration date and know when you have to care for one of them. - yay!

How to enable and configure notifications

Since I was going to pass the duty over to a collegue I created a GLPI group "Certificate Managers" where I put us both in (Administration -> Groups). Next I enabled the Notifications (Setup -> Notifications -> Notifications):

Select them both and for the bulk operations on the bottom you can both enable them.

Next you need to edit both notifications (expired and expiring certificates) to add your people you want to notify (the group is called in german since most of the time I use the interface in this language):

You need also to enable the checker for certificates on the automated actions - I use the CLI method (needs to run glpi/front/cron.php via a cron)

The next time once of your certificates expires, you will get notified enough in advance and you can always check when your certificates are going to expires.

P.S. The current 1.7.0 for GLPI 0.80 has some bugs in the english and german translation, this is fixed in trunk and is most likely to appear in the version for GLPI 0.83.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.