crypto cert expiry-level

Configures generating notifications for certificate expiry. Depending on the number of days to certificate expiry, notifications with different warnings are generated. Notifications can be RASLog or SNMP or both.

Syntax

crypto cert expiry-level [ info | minor | major | critical ] period alert-period

no crypto cert expiry-level [ info | minor | major | critical ] period alert-period

Parameters

expiry-level [ info | minor | major | critical ]: Type of certificate expiry warning to be generated.
period alert-period: Defines the duration, in number of days, when the notification alert will be generated, before a certificate actually expires. This value is in the range 1-90 days.

Modes

Global Configuration Mode

Usage Guidelines

Note

Notifications can be RASLog or SNMP or both.

When configured, notification is generated with a warning with the configured severity level along with a serial number of the certificate for which this entry is being generated. A notification is generated for every certificate that will expire within the configured number of days.

A single warning is generated when the number of days remaining for expiry is equal to (=) or becomes lesser than (<) the configured period for that severity level.

Certificate expiry checks are done once every day at 00:00 hours (midnight). Depending on the setting of the notAfter field in each certificate, Notification generation may be delayed up to 24 hours.

Note

Notifications are generated only after successful configuration using the crypto cert command.

When a certificate expires, a notification with an severity error is generated every 24 hours till the expired certificate is renewed. Generation of this notification is not affected by the configurations of the expiry levels.

If the SLX device's system time is manually changed after a notification is generated, SLX does not send the same notification again unless the specific crypto severity level is reconfigured to previous notification configuration or the specific certificate for which the notification is sent is re-imported.

When more than one alert level is configured with same period value, a notification is generated for higher severity level.

Examples

The following example show the configuration of the four (4) certificate expiry warning levels.

SLX # configure terminal 
SLX (config)# crypto cert expiry-level info period    90
SLX (config)# crypto cert expiry-level minor period   60
SLX (config)# crypto cert expiry-level major period   30
SLX (config)# crypto cert expiry-level critical period 7
SLX (config)#

The No form of this command will turn off the warning for the provided severity level.

SLX# conf term
Entering configuration mode terminal
SLX(config)# no crypto cert expiry-level minor period 60
SLX(config)# end
SLX#