The Cisco IOS Certificate Authority (CA) server allows autoenrollment of certificates before a certificate expires to ensure the availability of certificates for applications during authentication. However, network outages, clock update problems, and overloaded CAs can impede certificate renewal, thereby resulting in subsystems going offline because no valid certificates can be used for authentication. The PKI Credentials Expiry Alerts feature provides a mechanism by which a CA client sends a notification to a syslog server when certificates are on the verge of expiry.

The notifications are sent at the following intervals:

• First notification—This is sent 60 days before the expiry of the certificate.

• Repeated notifications—After the first notification, subsequent notifications are sent every week until a week before the expiry of the certificate. In the last week, notifications are sent every day until the certificate expiry date.

The notifications are in a warning mode when the certificate is valid for more than a week. The notifications are in an alert mode when a certificate’s validity is less than a week. The notifications include the following information:

• Truspoint the certificate is associated with

• Certificate type

• Serial number of the certificate

• Certificate issuer name

• Number of days remaining for the certificate to expire

• Whether the certificate is enabled with autoenrollment

• Whether a shadow certificate is available for the corresponding certificate

Note

Alert notifications are sent either via the syslog server or Simple Network Management Protocol (SNMP) traps. Notifications stop when a trustpoint is configured with autoenrollment and the corresponding shadow or rollover certificate is present, and the shadow or rollover certificate’s start time is either the same or earlier than the certificate’s end time.

This feature cannot be disabled and requires no additional configuration tasks. The show crypto pki timers command is enhanced to display the timer expiry information. The following is a sample output from the show crypto pki timers detail command that displays the timer when a certificate is about to expire. When this timer expires, a notification is sent to the syslog server.

Device# show crypto pki timers detail

PKI Timers
|       14:36.150  (2019-10-30T11:33:30Z) 
  |       14:36.150  (2019-10-30T11:33:30Z) SESSION CLEANUP 
  |2569d23:56:19.461  (2026-11-12T11:15:13Z) SHADOW test

Expiry Alert Timers
|659d 5:56:19.599  (2021-08-19T17:15:13Z) 
  |659d 5:56:19.599  (2021-08-19T17:15:13Z) ID(test)
  |2875d 4:45:18.562  (2027-09-13T16:04:12Z) CA(test)

Trustpool Timers
|3464d 9:06:48.463  (2029-04-24T20:25:42Z) 
  |3464d 9:06:48.463  (2029-04-24T20:25:42Z) TRUSTPOOL

The following is a syslog message that is displayed on the device:

Device#

Dec 16 10:24:13.533: %PKI-4-CERT_EXPIRY_WARNING: ID Certificate belonging to trustpoint tp will expire in 60 Days 0 hours 0 mins 0 secs.
Issuer-name cn=CA
Subject-name hostname=Router
Serial-number 02
Auto-Renewal: Not Enabled 

PKI trap ease the monitoring and operations of a PKI deployment by retrieving certificate information of the devices in the network. The root device sends SNMP traps at regular intervals to the network management system (NMS) based on the threshold configured in the device. The traps are sent in the following scenarios:

• A new certificate is installed—An SNMP trap (new certificate notification) is sent to the SNMP server containing information about the certificate, such as, certificate serial number, certificate issuer name, certificate subject name, trustpoint name, certificate type, and certificate start and end date.

• A certificate is about to expire—An SNMP trap (certificate expiry notification) is sent to the SNMP server at regular intervals starting from 60 days to one week before the certificate’s end date. In the week leading up to the expiration of the certificate, the trap is sent everyday. The trap contains certificate information, such as, certificate serial number, certificate issuer name, trustpoint name, certificate type, and certificate’s remaining lifetime.

To enable PKI traps, use the snmp-server enable traps pki command.

Note	If the shadow or rollover certificate’s start time is later than the certificate’s end time, traps are sent stating that the shadow certificate is not yet valid. However, no traps are sent if a shadow certificate available for the same trustpoint, and the shadow certificate becomes active.