Automatic Certificate Expiration Notification
search cancel

Automatic Certificate Expiration Notification

book

Article ID: 404136

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

Looking for improved Certificate notification for certificates about to expire.  Current method is to log into policy managers review the expiring certificates, then replace 

Environment

Gateway 11.x

Resolution

Docs for Automatic Certificate Expiration Notification

From the docs:

In addition to the Expiration Date shown on the Manage Certificates dialog, the Layer7 API Gateway can alert if a trusted certificate has expired or will expire imminently. When the Layer7 API Gateway is started and every 12 hours (default setting) subsequently, it will check for impending certificate expiration:

ClusterWide properties that control the alerts: 

These alerts are sent to the audit event db and the SSG log 

trustedCert.expiryCheckPeriod   (default 12h)

trustedCert.expiryFineAge  (default 30d)

trustedCert.expiryInfoAge (default 7d)

trustedCert.expiryWarningAge (default 2d)

Recommend changing warning to 7d 

trustedCert.expiryWarningAge=7d

Next step:  Send logs to splunt, then monitor for the messages below for eMail alert notification:

The audit occurs during Gateway restart and the value of CWP trustedCert.expiryCheckPeriod=12h

Certificate expiring in less than 2 days message:

2025-07-14T09:46:07.635-0700 WARNING 48  com.l7tech.server.identity.cert.TrustedCertManagerImp: 2154: Trusted certificate #03967c2ced5a4de04add32c116b29f5e (1.2.840.113549.1.9.1=<admineMail>,cn=server1.<certificate subjectDN>) will expire in 46.7 hours

Certificate expiring in less than 7 days message:

2025-07-14T09:46:07.635-0700 INFO    48  com.l7tech.server.identity.cert.TrustedCertManagerImp: 2153: Trusted certificate #03967c2ced5a4de04add32c116b29fba (1.2.840.113549.1.9.1=<admineMail>,cn=server2.<certificate subjectDN>) will expire in 6.0 days

2025-07-14T09:46:07.635-0700 INFO    48  com.l7tech.server.identity.cert.TrustedCertManagerImp: 2153: Trusted certificate #03967c2ced5a4de04add32c116b29ffe (1.2.840.113549.1.9.1=<admineMail>,cn=server3.<certificate subjectDN>) will expire in 6.0 days

Certificate expiring in less than 30 days message:

2025-07-14T09:46:07.635-0700 FINE    48  com.l7tech.server.identity.cert.TrustedCertManagerImp: 2152: Trusted certificate #03967c2ced5a4de04add32c116b2a002 (1.2.840.113549.1.9.1=<admineMail>,cn=server4.<certificate subjectDN>) will expire in 29.0 days

2025-07-14T09:46:07.635-0700 WARNING 48  com.l7tech.server: One or more trusted certificates has expired or is expiring soon

Recommend changing the WARNING to 7 days  - this provides week to change the certificate 

 

OR If you are not using syslog/splunk you can review and the following article KB57267

“Generating Email Alerts for Expiring Trusted Certificates” uses Audit Sink Policy and email assertion to send alerts