Monitor PKI Certificates & CRLs for Expiration with Telegram & SMS Alerts

Description

PKI Certificate & CRL Monitor - Auto Expiration Alert System

Overview
This n8n workflow provides automated monitoring of Public Key Infrastructure (PKI) components including CA certificates, Certificate Revocation Lists (CRLs), and associated web services. It extracts certificate information from the TSL (Trusted Service List) -- the Hungarian is the example list as default in the workflow -- , monitors expiration dates, and sends alerts via Telegram and SMS when critical thresholds are reached.

Features
Automated extraction of certificate URLs from TSL XML
CA certificate expiration monitoring
CRL expiration tracking
Website availability monitoring with retry mechanism
Multi-channel alerting (Telegram and SMS)
Scheduled execution every 12 hours
17-hour warning threshold for expirations

Setup Instructions

Prerequisites
n8n Instance: Running n8n installation with Linux environment
Telegram Bot: Created via @BotFather
Textbelt API Key: For SMS notifications (optional)
Network Access: To reach TSL source and certificate URLs
Linux Tools: OpenSSL, curl, libxml2-utils, jq (auto-installed)

Configuration Steps

1. Telegram Setup
Create Telegram Bot:
Open Telegram and search for @BotFather
Send /newbot and follow prompts
Save the bot token (format: 1234567890:ABCdefGHIjklMNOpqrsTUVwxyz)

Create Alert Channel:
Create a new Telegram channel for alerts
Add your bot as administrator
Get channel ID:
Send a test message to the channel
Visit: https://api.telegram.org/bot<YOUR_BOT_TOKEN>/getUpdates
Find "chat":{"id":-100XXXXXXXXXX} - this is your channel ID

2. SMS Setup (Optional)
Textbelt Configuration:
Register at https://textbelt.com
Purchase credits and obtain API key
Note: Free tier allows 1 SMS/day for testing

3. Configure Alert Nodes
Update these nodes with your credentials:

CRL Alert Node:
Open CRL Alert --- Telegram & SMS node
Replace YOUR-TELEGRAM-BOT-TOKEN with your bot token
Replace YOUR-TELEGRAM-CHANNEL-ID with your channel ID
Replace +36301234567 with target phone number(s)
Replace YOUR-TEXTBELT-API-KEY with your Textbelt key

CA Alert Node:
Open CA Alert --- Telegram & SMS node
Apply same replacements as above

Website Down Alert Node:
Open Send Website Down - Telegram & SMS node
Apply same replacements as above

4. TSL Source Configuration
The workflow defaults to Hungarian TSL:
URL: http://www.nmhh.hu/tl/pub/HU_TL.xml
To change, edit the Collect Checking URL list node
Trust list references: https://ec.europa.eu/tools/lotl/eu-lotl.xml (to find more TSL list to change the default), and https://www.etsi.org/deliver/etsi_ts/119600_119699/119615/01.02.01_60/ts_119615v010201p.pdf (to Technical Specification of the Trust Lists)

5. Threshold Configuration
Default warning threshold: 17 hours before expiration
To modify CRL threshold: Edit nextUpdate - TimeFilter node
To modify CA threshold: Edit nextUpdate - TimeFilter1 node
Change value in condition: if (diffHours < 17)

Activation
Save all configuration changes
Test with Execute With Manual Start trigger
Verify alerts are received
Toggle workflow to Active status for scheduled operation

How to Use

Automatic Operation
Once activated, the workflow runs automatically:
Frequency**: Every 12 hours
Process**:
Downloads TSL XML
Extracts all certificate URLs
Checks each URL type (CRL, CA, or other)
Validates expiration dates
Sends alerts for critical items

Manual Execution
For immediate checks:
Open the workflow
Click Execute With Manual Start node
Click "Execute Node"
Monitor execution progress

Understanding Alerts

CRL Expiration Alert
Message Format:
ALERT! with [Issuer CN] !!!CRL EXPIRATION!!! Will be under 17 hour ([Next Update Time])! Last updated: [Last Update Time]

Trigger Conditions:
CRL expires in less than 17 hours
CRL download successful but expiration imminent

CA Certificate Alert
Message Format:
ALERT!/EXPIRED! with [Subject CN] !!!CA EXPIRATION PROBLEM!!! The expiration time: ([Not After Date]) Last updated: ([Not Before Date])

Trigger Conditions:
Certificate expires in less than 17 hours (ALERT!)
Certificate already expired (EXPIRED!)

Website Down Alert
Message Format:
ALERT! The [URL] !!!NOT AVAILABLE!!! Service outage probable! Intervention required!

Trigger Conditions:
Initial HTTP request fails
Retry after wait period also fails
HTTP status code not 200

Monitoring Dashboard

Execution History
Navigate to n8n Executions tab
Filter by workflow name
Review successful/failed runs

Alert History
Check Telegram channel for:
Alert timestamps
Affected certificates/services
Expiration details

Troubleshooting

No Alerts Received
Check Telegram Bot:
Verify bot is admin in channel
Test with manual message via API
Confirm channel ID is correct

Check Workflow Execution:
Review execution logs in n8n
Look for error nodes (red indicators)
Verify TSL URL is accessible

False Positives
Verify system time is correct
Check timezone settings
Review threshold values

Missing Certificates
Some certificates may not have URLs
TSL may be temporarily unavailable
Check XML parsing in logs

Performance Issues
Slow Execution:
Large TSL files take time to parse
Network latency affects URL checks
Consider increasing timeout values

Memory Issues:
Workflow processes many URLs sequentially
Monitor n8n server resources
Consider increasing batch intervals

Advanced Configuration

Modify Check Frequency
Edit Execute With Scheduled Start node:
Change interval type (hours/days/weeks)
Adjust interval value
Consider peak/off-peak scheduling

Add Custom TSL Sources
In Collect Checking URL list node:
URL="https://your-tsl-source.com/tsl.xml"

Customize Alert Messages
Edit alert nodes to modify message templates:
Add organization name
Include escalation contacts
Add remediation instructions

Filter Certificate Types
Modify URL detection patterns:
Is this CRL?** node: Adjust CRL detection
Is this CA?** node: Adjust CA detection
Add new patterns as needed

Adjust Retry Logic
Wait B4 Retry node:
Default: Immediate retry
Can add delay (seconds/minutes)
Useful for transient network issues

Maintenance

Regular Tasks
Weekly**: Review alert frequency
Monthly**: Validate phone numbers/channels
Quarterly**: Update TSL source URLs
Annually**: Review threshold values

Log Management
Clear old execution logs periodically
Archive alert history from Telegram
Document false positives for tuning

Updates
Keep n8n updated for security patches
Monitor OpenSSL versions for compatibility
Update notification service APIs as needed

Security Considerations
Store API keys in n8n credentials manager
Use environment variables for sensitive data
Restrict workflow edit access
Monitor for unauthorized changes
Regularly rotate API keys
Use HTTPS for TSL sources when available

Compliance Notes
Ensure monitoring aligns with PKI policies
Document alert response procedures
Maintain audit trail of certificate issues
Consider regulatory requirements for uptime

Integration Options
Connect to ticketing systems for alert tracking
Add database logging for compliance
Integrate with monitoring dashboards
Create escalation workflows for critical alerts

Best Practices
Test alerts monthly to ensure delivery
Maintain multiple notification channels
Document response procedures for each alert type
Set up redundant monitoring if critical
Review and tune thresholds based on operational needs
Keep contact lists updated
Consider time zones for global operations