Starting from release 20.3.3 it's possible for the administrator to configure the number of days ahead of expiry of a TLS certificate present in SLX, as an alert to be issued from SLX and map this configured period against one of the 4 levels that indicate the severity of this alert. The 4 levels are critical, major, minor and info. Below is an example of how the configuration will be.
SLX(config)# crypto cert expiry-level info period 50 SLX(config)# crypto cert expiry-level minor period 30 SLX(config)# crypto cert expiry-level major period 10 SLX(config)# crypto cert expiry-level critical period 5
The configuration allows period to be specified in the range between 1 to 90 in number of days. It means
when this configuration is done, periodically once in 24 hours the expiry date of all TLS
certificates present in SLX are checked and when the number of days remaining for expiry of a
certain certificate matches the period configured, an alert is issued with the severity
indicating the level specified in the expiry-level field.
The alert is issued in the
form of a RASLOG. On SLX SNMP
trap severity levels can be set. Upon setting the SNMP trap severity level to warning the
generated raslogs will also issue an SNMP trap.
The RASLOGs and SNMP traps carries detail about the
expired certificate like the serial number of the certificate and its subject etc., and
display that this certificate expires within these many days. Below is an example when info
level is configured.
RASLOG
2022/05/13-00:00:02, [SEC-3136], 87,, WARNING, SLX, Event: cert expiry ,Alert-level:INFO, Certificate Details=[subject= /C=IN/ST=KA/L=BAN/O=HCL/OU=Engg/CN=10.24.12.129/emailAddress=gselvara j@hcl.com issuer= /C=IN/ST=KA/L=BAN/O=HCL/OU=Engg/CN=root serial=4098] will expire in 44 days.
SNMP Trap
05:35:32.203670 IP 10.24.12.129.50000 > ldap.testsqa.com.SNMPtrap: C="cm2" V2Trap(452) system.sysUpTime.0=81400 S:1.1.4.1.0=E:1588.2.1.1.1.0.4 S:18.1.3.0=10.24.12.129 E:1588.2.1.1.1.8.5.1.1.87=87 E:1588.2.1.1.1.8.5.1.2.87="2022/05/13- 00:00:02" E:1588.2.1.1.1.8.5.1.3.87=3 E:1588.2.1.1.1.8.5.1.4.87=1 E:1588.2.1.1.1.8.5.1.5.87="SEC-3136 Event: cert expiry , Alertlevel: INFO, Certificate Details=[subject= /C=IN/ST=KA/L=BAN/O=HCL/OU=Engg/CN=10.24.12.129/emailAddress=gselvara j@hcl.com issuer= /C=IN/ST=KA/L=BAN/O=HCL/OU=Engg/CN=root serial=4098] will expire in 44 days."
In case administrator has configured multiple levels or all 4 levels, then many alerts are issued indicating the particular severity level when the period remaining for expiry matches the configured period against each level.
In case a certificate is already expired a raslog with Error as severity level is sent continuously sent every 24 hours until the specific certificate is changed.
This RASLOG is sent irrespective of the expiry level configuration. Having the above
configurations provides reminders to administrators to change the certificate and prevents a
service from non-functional due to TLS handshake failure resulting from certificate
expiry.