Layer7 API Management

Expand all | Collapse all

Certificate Expiry date

  • 1.  Certificate Expiry date

    Posted Dec 27, 2016 11:49 PM

    Can we get the Certificate Expiry date mail alert ?Which table comprises of complete details of certificates including expiry date?



  • 2.  Re: Certificate Expiry date

    Broadcom Employee
    Posted Dec 28, 2016 12:08 AM

    Hello SoniaMehta ,

    The KB article provides an example for your requirement,

    https://www.ca.com/us/services-support/ca-support/ca-support-online/knowledge-base-articles.TEC0000001054.html 

     

     

    Regards,

    Mark



  • 3.  Re: Certificate Expiry date

    Posted Jan 02, 2017 05:06 AM

    Hi ,

     

    I added global variables as mentioned below but still i am unable to see any audits logged for it though the expiry of certificates is within next 30 days.

    • trustedCert.expiryFineAge 30d
    • trustedCert.expiryInfoAge   7d
    • trustedCert.expiryWarningAge 2d
    • trustedCert.expiryCheckPeriod 1h

    Kindly guide.



  • 4.  Re: Certificate Expiry date

    Broadcom Employee
    Posted Jan 03, 2017 01:18 PM

    Sonia,

     

    The default of the audits for admin tasks is INFO so unless you change the cluster wide property (CWP) "audit.adminThreshold" to FINE you will not see the 30 day warnings. I would recommend that you change the CWP "trustedCert.expiryInfoAge" to 30 days if not higher.

     

    Sincerely,

     

    Stephen Hughes

    Director, CA Support



  • 5.  Re: Certificate Expiry date

    Posted Jan 03, 2017 11:39 PM

    Hi stephen,

     

    Does Trusted cert audit details will capture for all installed certificates in policy manager?



  • 6.  Re: Certificate Expiry date

    Posted Jan 04, 2017 04:47 AM

    Hi Stephen,

    I added trustedCert.expiryInfoAge" to 30d but still i am unable to see any expiry message in audit info details.



  • 7.  Re: Certificate Expiry date
    Best Answer

    Broadcom Employee
    Posted Jan 04, 2017 01:07 PM

    Sonia,

     

    I've just tested this in version 9.1 with a certificate in the Manage Certificate section which will expire in 20 days, using the setting outline in the above posts. This will not track Private Keys only certificates in the Manager Certificate.

     

    Sincerely,

     

    Stephen Hughes

    Director, CA Support



  • 8.  Re: Certificate Expiry date

    Posted Jan 04, 2017 11:36 PM

    Thank you Stephen.



  • 9.  Re: Certificate Expiry date

    Posted Jan 09, 2017 11:26 PM

    Hi stephen,

     

    This is working but only if audit level is info,fine or warning.What if  the audit level maintained is Severe.

    How we can then configure global variable so as to get alerts of certificate expiry.



  • 10.  Re: Certificate Expiry date

    Posted Jan 18, 2017 12:24 PM

    I use a cron job on the primary database node to call a shell script that looks up both client certificates and trusted certificates, then forwards the output to a service in the gateway which sends emails accordingly.

     

    http://layer7admin.blogspot.com/2014/11/certificate-expiration-notification.html



  • 11.  Re: Certificate Expiry date

    Posted Jan 18, 2017 11:24 PM

    Hi Ben,

    Thanks for your reply.We already configured using cron job on ssg log.

    But i would like to know about the table name for certificate expiry as we are unable to fetch the Expiry date column from our database.



  • 12.  Re: Certificate Expiry date

    Posted Jan 19, 2017 11:51 AM

    The experation date is not in the database tables, however the certificate 64-bit encoded pem is; which by looping through a service we can cast into a certificate x509 object allowing us to extract the expiration date (as you can see in the policy logic in the git repository referenced in the post linked to above).



  • 13.  Re: Certificate Expiry date

    Posted Jan 20, 2017 01:42 AM

    Hi Ben,

    I used Extract Attributes from Certificate assertion but still i am not able to see value that extracts the date.

    Belos is the list of available options.Can you please guide me .



  • 14.  Re: Certificate Expiry date

    Posted Jan 20, 2017 12:14 PM

    notAfter is the expiration and notBefore is the validity start datetime.

    (If you look at the policy I have in github referenced in my blog you would also see that is what is being validated against to determine whether or not to send an email to the address specified in the FIP user properties.)



  • 15.  Re: Certificate Expiry date

    Posted Jan 23, 2017 11:25 PM

    Hi Ben,

    Thank you for your reply.

    In my policy I have used Lookup certificate by name.What if i want to get to know all the certificates details which are going to get expire.Is there any way i can list them out.

    2.Using notafter i am getting the datetime of expiry of the certificate but is there any way to calculate the difference between two dates so as to make email alert using policy just before 15 days of expiry.



  • 16.  Re: Certificate Expiry date

    Posted Jan 26, 2017 01:05 PM