TLS/Cert validity reporting

[andrewvc]

Design Issue: #159

Personas / User Stories
As someone responsible for managing TLS/SSL Certificates
I want be able to view a table of all current TLS certificates where I can determine which are in danger of becoming invalid due to either expiration or advanced age (e.g. Safari)
So that my services that rely on these certificates remain available

ACs:

• Unique page in Uptime that shows a table
• Regular EUI Table that contains following columns:
  • status + reason (reason being the error state that is most urgent, either "expires soon" or "approaching age limit".
  • Common Name (plus x more indicator),
  • the monitor names that contain endpoints/domains with that certificate
  • expiration date/time (col name "Valid until")
  • age of the certificate in days
  • Issuer Name,
  • current status (ie OK, warning, alert).
  • Fingerprints Column (Showing empty buttons for SHA-1 and SHA-256 and a copy icon, shows a tooltip with the full SHA on hover. Screenshot further down in the comments.)
• Alert state column rules match triggers for sending an actual alert
• Additional data for heartbeat to capture: SHA fingerprint, all domains covered by the certificate, valid from, valid to, issuing authority
• Search: Wildcards on monitor name, monitor ID, issuer.distinguished_name, subject.distinguished_name, common name case insensitively
• Settings page adds:
  • "Certificate expiration warning threshold": default: 30 days
  • "Certificate age warning threshold" : default: 365 days
  • Descriptions for both fields say: "Change the threshold for displaying and alerting on certificate errors. Note, this will affect any configured alerts"
• Pagination size should be remembered in local storage as-in overview page and ping history
• All columns are sortable

[katrin-freihofner]

Design issue

[katrin-freihofner]

Figma link
Prototype link

[mdelapenya]

I've some questions about the ACs:

Unique page in Uptime that shows a table

I'd like to know if there is a strong business requirement to limit the number of tables in Uptime. If not, I would not add this criteria to the list, or at least to the spec. If it's a business requirement, I'd like to understand the importance of tables here. Could you please help me here? 🙏

Regular EUI Table that contains following columns:

I see this as an implementation detail, because the table could be also rendered as a JSON object in an API request. Please correct me if I'm wrong.

Alert state column rules match triggers for sending an actual alert

Is there a place to look up the rules defining the matches between certificate states and alert states? I'd like to create examples for this use case.

Search: Wildcards on monitor name, monitor ID, issuer.distinguished_name, subject.distinguished_name, common name

As a minor change, I'd use real field names (as they are named in the index) instead of English names, to avoid typos.

Settings "Certificate expiration warning threshold": default: 30 days

How are the setting initialised? Does it happen on Kibana's startup? On heartbeat creating the index? I'd like to define the preconditions that enables this use case, that's why I need to understand how to populate the settings for first time.

Descriptions for both fields say: "Change the threshold for displaying and alerting on certificate errors. Note, this will affect any configured alerts"

I see this requirement is hidden in a description text, when it should have its own AC: "Changing the threshold for alerting on certificate errors will affect any configured alerts"

[andrewvc]

@mdelapenya It sounds like the goal is to have feature files describe just the business use case, but not any of the design details. So far we're using the issue here to capture the output of our discussions, which includes a mix of product decisions and design decisions.

With regard to the feature files would it be fair to say they capture user stories, without particular notes about implementation? I agree we could do a better job using user stories to plan features, so that would make sense, but I'd like to hear more from you here.

[mdelapenya]

Yes, I agree we need both: technical (design, implementation, ...) and product details. Maybe we can have, in the same issue, two lists of ACs: one for product criteria and technical criteria. It would be simply splitting above list into two, here in the issue. Does it makes sense?

About the feature files, yes, they should capture user stories, with no implementation detail (no clicking, no typing, no browsing), we should use product verbs (search for certificates, configure a certificate, create an alert, expire a certificate...).

With the great work in the description of this issue it would be very easy to translate into feature files.

[katrin-freihofner]

The copy SHA action could look like this:

I'm going to update the issue description accordingly