Looking for improved Certificate notification for certificates about to expire. Current method is to log into policy managers review the expiring certificates, then replace
Gateway 11.x
Docs for Automatic Certificate Expiration Notification
From the docs:
In addition to the Expiration Date shown on the Manage Certificates dialog, the Layer7 API Gateway can alert if a trusted certificate has expired or will expire imminently. When the Layer7 API Gateway is started and every 12 hours (default setting) subsequently, it will check for impending certificate expiration:
ClusterWide properties that control the alerts:
These alerts are sent to the audit event db and the SSG log
trustedCert.expiryCheckPeriod (default 12h)
trustedCert.expiryFineAge (default 30d)
trustedCert.expiryInfoAge (default 7d)
trustedCert.expiryWarningAge (default 2d)
Recommend changing warning to 7d
trustedCert.expiryWarningAge=7d
Next step: Send logs to splunt, then monitor for the messages below for eMail alert notification:
The audit occurs during Gateway restart and the value of CWP trustedCert.expiryCheckPeriod=12h
Certificate expiring in less than 2 days message:
2025-07-14T09:46:07.635-0700 WARNING 48 com.l7tech.server.identity.cert.TrustedCertManagerImp: 2154: Trusted certificate #03967c2ced5a4de04add32c116b29f5e (1.2.840.113549.1.9.1=<admineMail>,cn=server1.<certificate subjectDN>) will expire in 46.7 hours
Certificate expiring in less than 7 days message:
2025-07-14T09:46:07.635-0700 INFO 48 com.l7tech.server.identity.cert.TrustedCertManagerImp: 2153: Trusted certificate #03967c2ced5a4de04add32c116b29fba (1.2.840.113549.1.9.1=<admineMail>,cn=server2.<certificate subjectDN>) will expire in 6.0 days
2025-07-14T09:46:07.635-0700 INFO 48 com.l7tech.server.identity.cert.TrustedCertManagerImp: 2153: Trusted certificate #03967c2ced5a4de04add32c116b29ffe (1.2.840.113549.1.9.1=<admineMail>,cn=server3.<certificate subjectDN>) will expire in 6.0 days
Certificate expiring in less than 30 days message:
2025-07-14T09:46:07.635-0700 FINE 48 com.l7tech.server.identity.cert.TrustedCertManagerImp: 2152: Trusted certificate #03967c2ced5a4de04add32c116b2a002 (1.2.840.113549.1.9.1=<admineMail>,cn=server4.<certificate subjectDN>) will expire in 29.0 days
2025-07-14T09:46:07.635-0700 WARNING 48 com.l7tech.server: One or more trusted certificates has expired or is expiring soon
Recommend changing the WARNING to 7 days - this provides week to change the certificate
OR If you are not using syslog/splunk you can review and the following article KB57267
“Generating Email Alerts for Expiring Trusted Certificates” uses Audit Sink Policy and email assertion to send alerts