All cryptographic certificates have an effective lifetime. This lifetime is defined in the validity fields notBefore and notAfter values stored within the cryptographic certificate. A cryptographic certificate should not be used prior to the date configured in the notBefore field. The cryptographic certificate is considered expired after the date configured in the notAfter field and should not be used after that date.
When a cryptographic certificate nears its expiration time, then a RASLOG is generated with the configured warning level.
Note
The cryptographic certificate expiration warning levels, INFO, MINOR, MAJOR, and CRITICAL map to the RASLOG warning severity levels. The RASLOG also triggers SNMP trap if trap severity level is configured to warning or above.
When configured, a RASLOG is created with a warning with the configured severity level along with the serial number of the certificate for which this entry is being generated. A RASLOG entry is generated for every certificate that will expire within the next ninety (90) days.
A single warning is generated when the number of days remaining for expiry is equal to or becomes lesser than the configured period for that severity level.
Certificate expiry checks are done once every day at 00:00 hours (midnight). Depending on the setting of the notAfter field in each certificate, RASLOG generation may be delayed up to 24 hours.
Note
RASLOG is generated only after this configuration is completed.
When a certificate expires, a RASLOG with an severity ERROR is generated every 24 hours till the expired certificate is renewed. This RASLOG is not affected by the configurations of the expiry levels.