Layer7 API Management

Expand all | Collapse all

Certificate Expiry date

Jump to Best Answer
  • 1.  Certificate Expiry date

    Posted 12-27-2016 11:49 PM

    Can we get the Certificate Expiry date mail alert ?Which table comprises of complete details of certificates including expiry date?



  • 2.  Re: Certificate Expiry date

    Posted 12-28-2016 12:08 AM

    Hello SoniaMehta ,

    The KB article provides an example for your requirement,

    https://www.ca.com/us/services-support/ca-support/ca-support-online/knowledge-base-articles.TEC0000001054.html 

     

     

    Regards,

    Mark



  • 3.  Re: Certificate Expiry date

    Posted 01-02-2017 05:06 AM

    Hi ,

     

    I added global variables as mentioned below but still i am unable to see any audits logged for it though the expiry of certificates is within next 30 days.

    • trustedCert.expiryFineAge 30d
    • trustedCert.expiryInfoAge   7d
    • trustedCert.expiryWarningAge 2d
    • trustedCert.expiryCheckPeriod 1h

    Kindly guide.



  • 4.  Re: Certificate Expiry date

    Posted 01-03-2017 01:18 PM

    Sonia,

     

    The default of the audits for admin tasks is INFO so unless you change the cluster wide property (CWP) "audit.adminThreshold" to FINE you will not see the 30 day warnings. I would recommend that you change the CWP "trustedCert.expiryInfoAge" to 30 days if not higher.

     

    Sincerely,

     

    Stephen Hughes

    Director, CA Support



  • 5.  Re: Certificate Expiry date

    Posted 01-03-2017 11:39 PM

    Hi stephen,

     

    Does Trusted cert audit details will capture for all installed certificates in policy manager?



  • 6.  Re: Certificate Expiry date

    Posted 01-04-2017 04:47 AM

    Hi Stephen,

    I added trustedCert.expiryInfoAge" to 30d but still i am unable to see any expiry message in audit info details.



  • 7.  Re: Certificate Expiry date
    Best Answer

    Posted 01-04-2017 01:07 PM

    Sonia,

     

    I've just tested this in version 9.1 with a certificate in the Manage Certificate section which will expire in 20 days, using the setting outline in the above posts. This will not track Private Keys only certificates in the Manager Certificate.

     

    Sincerely,

     

    Stephen Hughes

    Director, CA Support



  • 8.  Re: Certificate Expiry date

    Posted 01-04-2017 11:36 PM

    Thank you Stephen.



  • 9.  Re: Certificate Expiry date

    Posted 01-09-2017 11:26 PM

    Hi stephen,

     

    This is working but only if audit level is info,fine or warning.What if  the audit level maintained is Severe.

    How we can then configure global variable so as to get alerts of certificate expiry.



  • 10.  Re: Certificate Expiry date

    Posted 01-18-2017 12:24 PM

    I use a cron job on the primary database node to call a shell script that looks up both client certificates and trusted certificates, then forwards the output to a service in the gateway which sends emails accordingly.

     

    http://layer7admin.blogspot.com/2014/11/certificate-expiration-notification.html



  • 11.  Re: Certificate Expiry date

    Posted 01-18-2017 11:24 PM

    Hi Ben,

    Thanks for your reply.We already configured using cron job on ssg log.

    But i would like to know about the table name for certificate expiry as we are unable to fetch the Expiry date column from our database.



  • 12.  Re: Certificate Expiry date

    Posted 01-19-2017 11:51 AM

    The experation date is not in the database tables, however the certificate 64-bit encoded pem is; which by looping through a service we can cast into a certificate x509 object allowing us to extract the expiration date (as you can see in the policy logic in the git repository referenced in the post linked to above).



  • 13.  Re: Certificate Expiry date

    Posted 01-20-2017 01:42 AM

    Hi Ben,

    I used Extract Attributes from Certificate assertion but still i am not able to see value that extracts the date.

    Belos is the list of available options.Can you please guide me .



  • 14.  Re: Certificate Expiry date

    Posted 01-20-2017 12:14 PM

    notAfter is the expiration and notBefore is the validity start datetime.

    (If you look at the policy I have in github referenced in my blog you would also see that is what is being validated against to determine whether or not to send an email to the address specified in the FIP user properties.)



  • 15.  Re: Certificate Expiry date

    Posted 01-23-2017 11:25 PM

    Hi Ben,

    Thank you for your reply.

    In my policy I have used Lookup certificate by name.What if i want to get to know all the certificates details which are going to get expire.Is there any way i can list them out.

    2.Using notafter i am getting the datetime of expiry of the certificate but is there any way to calculate the difference between two dates so as to make email alert using policy just before 15 days of expiry.



  • 16.  Re: Certificate Expiry date

    Posted 01-26-2017 01:05 PM