Solved: Help configuring SSL Certificate Monitor Extension

NicoleMT · ‎22 Jul 2025

Hello Community,

I’m looking for support in configuring the SSL Certificate Monitor extension in Dynatrace.

I’ve already deployed the extension using the OneAgent on two hosts. However, I’m encountering the following issues:

One certificate is reported as expired.
Another certificate is detected on a port that isn’t associated with any running web service.
The extension does not detect the certificates served on the expected HTTP ports, where my web applications are running.
In addition, these expected ports appear as blocked or unreachable in the extension.

Could anyone help me understand what might be going wrong? For example:

Do I need to explicitly define the ports or endpoints in the configuration?

ben_davidson · ‎22 Jul 2025

HTTP connections are insecure and do not use SSL/TLS certificates during the establishment of a connection. Generally, port 80 is an insecure port that uses the HTTP protocol. This is verified in the blocklist "Reason" column as three of the ports responded to connection handshake with HTTP headers. Ports are blocklisted when the extension attempts to establish a secure connection and collect certificate details but is unable to extract a certificate.

As for the other questions, can you share more about the other issues you are facing? Are you expecting a certificate to be expired? For the detected certificate on a, "port that isn’t associated with any running web service", is there an associated process? Most Windows hosts will discover a host certificate (typically on port 3389), this is expected.