Monitor expiring trusted certificate with schedule task on API Gateway

book

Article ID: 194152

calendar_today

Updated On:

Products

CA API Gateway API SECURITY CA API Gateway Precision API Monitoring Module for API Gateway (Layer 7) CA API Gateway Enterprise Service Manager (Layer 7) STARTER PACK-7 CA Microgateway

Issue/Introduction

There is a KB article: Generating Email Alerts for Expiring Trusted Certificates

In the article, the alert message is based on the audit message which will not include the CN name of the certificate. It just shows "One or more certificate is going to expire soon".

This is difficult for the system administrator with hundreds of certificates.

Environment

Release : 9.4 CR1 and above

Component : API GATEWAY

Resolution

The new solution will use /restman interface to load all the certificates, and then use look up certificate assertion + extract attributes from certificate assertion to get the expiry date.

  • Sample policy,

The sample policy will list the certs expired, or going to expire in 30 days, with its CN and expire date

It can be used as policy for a service endpoint, or for a schedule task.

  • Sample output:

# curl http://localhost:8080/ccert

-------------------
CN=cert-test.sandbox.google.com,O=Google LLC,L=Mountain View,ST=California,C=US   
2019-10-27T17:31:57.000Z
-------------------
-------------------
CN=tmpkey01   
2020-07-10T04:20:21.000Z
-------------------

Additional Information

https://knowledge.broadcom.com/external/article?articleId=57267

Attachments

1593557180909__certExpiry.xml get_app