The Cisco IOS
Certificate Authority (CA) server allows autoenrollment of certificates before
a certificate expires to ensure the availability of certificates for
applications during authentication. However, network outages, clock update
problems, and overloaded CAs can impede certificate renewal, thereby resulting
in subsystems going offline because no valid certificates can be used for
authentication. The PKI Credentials Expiry Alerts feature provides a mechanism
by which a CA client sends a notification to a syslog server when certificates
are on the verge of expiry.
The notifications
are sent at the following intervals:
-
First
notification—This is sent 60 days before the expiry of the certificate.
-
Repeated
notifications—After the first notification, subsequent notifications are sent
every week until a week before the expiry of the certificate. In the last week,
notifications are sent every day until the certificate expiry date.
The notifications
are in a
warning mode when the certificate is valid for more than a week.
The notifications are in an
alert mode when a certificate’s validity is less than a week. The
notifications include the following information:
-
Truspoint the
certificate is associated with
-
Certificate type
-
Serial number of
the certificate
-
Certificate
issuer name
-
Number of days
remaining for the certificate to expire
-
Whether the
certificate is enabled with autoenrollment
-
Whether a shadow
certificate is available for the corresponding certificate
Note |
Alert
notifications are sent either via the syslog server or Simple Network
Management Protocol (SNMP) traps. Notifications stop when a trustpoint is
configured with autoenrollment and the corresponding shadow or rollover
certificate is present, and the shadow or rollover certificate’s start time is
either the same or earlier than the certificate’s end time.
|
This feature cannot
be disabled and requires no additional configuration tasks. The
show crypto pki
timers command is enhanced to display the timer expiry
information. The following is a sample output from the
show crypto pki timers
detail command that displays the timer when a certificate is
about to expire. When this timer expires, a notification is sent to the syslog
server.
Device# show crypto pki timers detail
PKI Timers
| 14:36.150 (2019-10-30T11:33:30Z)
| 14:36.150 (2019-10-30T11:33:30Z) SESSION CLEANUP
|2569d23:56:19.461 (2026-11-12T11:15:13Z) SHADOW test
Expiry Alert Timers
|659d 5:56:19.599 (2021-08-19T17:15:13Z)
|659d 5:56:19.599 (2021-08-19T17:15:13Z) ID(test)
|2875d 4:45:18.562 (2027-09-13T16:04:12Z) CA(test)
Trustpool Timers
|3464d 9:06:48.463 (2029-04-24T20:25:42Z)
|3464d 9:06:48.463 (2029-04-24T20:25:42Z) TRUSTPOOL
Note |
show crypto pki timer command displays absolute time in ISO 8601 format.
|
The following is a
syslog message that is displayed on the device:
Device#
Dec 16 10:24:13.533: %PKI-4-CERT_EXPIRY_WARNING: ID Certificate belonging to trustpoint tp will expire in 60 Days 0 hours 0 mins 0 secs.
Issuer-name cn=CA
Subject-name hostname=Router
Serial-number 02
Auto-Renewal: Not Enabled