Certificate Expiry Alert

All cryptographic certificates have an effective lifetime. This lifetime is defined in the validity fields notBefore and notAfter values stored within each cryptographic certificate. Ideally, a cryptographic certificate should not be used prior to the date configured in the notBefore field. The cryptographic certificate is considered as expired beyond the date configured in the notAfter field and should not be used after that date.

When a cryptographic certificate nears its expiration date, then a notification is generated with the configured warning level.

Note

Notifications can be RASLog or SNMP or both.

Notifications to users can be classified as Warning or Error as seen in the RASLOG entries. Messages of the type Warnings are only generated if the alert levels are configured. The valid alert levels are INFO, MINOR, MAJOR, and CRITICAL and are configured independent of each other. These classifications are applicable to both RASLOG entries and SNMP Notifications.

The notifications of the type Error are always generated irrespective of the configured alert levels. By default, RASLOGs are always written for notifying certificate expiry. SNMP notifications are only generated when SNMP is enabled on the device.

For the Warning type of messages, when notifications are generated, these incorporate the configured alert level, along with the details of the expiring certificate. This is generated for each certificate that will expire in the near term.

A single warning is generated when the number of remaining days for a certificate's expiry is equal to (=) or becomes lesser than (<) the configured period for that severity level.

For the Error type of messages, notifications are always generated once a day at midnight (00:00 hours) for each certificate that has expired. This notification is generated till the expired certificates are renewed or their validity extended.

Depending on the setting of the notAfter field in each certificate, the generation of the notification may be delayed by upto 24 hours.

Things to note about Notifications for Certificate Management.

• A single alert is issued if the number of remaining days until expiration is equal to (=) or less than (<) the time configured for that expiry-level. When calculating a certificate's expiry, only the number of remaining days are considered. The remaining number of hours, minutes, and seconds are not considered.

• Certificate validity verification is performed once every 24 hours at midnight (00:00 hours). When configured, the certificate expiration event might not get triggered immediately and depends on the time of day when the configuration is performed. It is only triggered when the device's clock next reaches 00:00 hours.

• If a certificate has expired, then, the notification is sent every 24 hours till the certificate is changed or its validity is extended. This notification is independent of the expiry-level configuration and does not contain any information about the alert level. SLX-OS does not allow importing an already expired certificate.
• If the system time is manually changed after a notification is sent, SLX-OS does not resend the same notification unless the specific expiry-level for which the notification is sent is reconfigured or the specific certificate for which the notification is sent is reimported.
• If multiple alert levels are configured with same notification period, the extremeCertExpiryWarning notification is only sent for the highest alert level among them.
• This configuration is affected by the Year 2038 Problem. On or after the 19th of January 2038 (2038-01-19), due to a change in system time, the Certificate Expiry Alert feature will stop working.

Certificates Monitored for Expiry

The following certificates are monitored for expiry:

• gnmi-server
• gnmiclient-ca
• https
• https-trustpoint
• httpsclient-ca
• ldap-ca
• ldap-client
• oauth2pkicert
• radius-ca
• radius-client
• sshx509v3
• sshx509v3-ca
• sshx509v3-trustpoint
• syslog-ca
• syslog-client