crypto cert

Usage Guidelines

When configured, a RASLog is created with a warning with the configured severity level along with a serial number of the certificate for which this entry is being generated. A RASLog entry is generated for every certificate that will expire within the next ninety (90) days.

A single warning is generated when the number of days remaining for expiry is equal to (=) or becomes (<) lesser than the configured period for that severity level.

Certificate expiry checks are done once every day at 00:00 hours (midnight). Depending on the setting of the notAfter field in each certificate, RASLog generation may be delayed up to 24 hours.

Note

RASLog is generated only after the configuration.

When a certificate expires, a RASLog with an severity error is generated every 24 hours till the expired certificate is renewed. This RASLog is not affected by the configurations of the expiry levels.

If the SLX device's system time is manually changed after a RASLog is generated, SLX does not send the RASLog again unless the specific crypto severity level is reconfigured to previous RASLog or the specfic certificate for which RASLog is sent is re-imported.

Server certificates imported using the crypto commands are provided with pkcs12 option. This pkcs12 option is considered when expiry is checked. CAs of TLS clients are imported using different import commands. These import commands do not support pkcs12 options and are not considered for expiry check.

When more than one alert level is configured with same period value, RASLog is generated for higher severity level.