OpenSSL command shows incorrect certificate expiration date for Edge SWG
search cancel

OpenSSL command shows incorrect certificate expiration date for Edge SWG

book

Article ID: 437193

calendar_today

Updated On:

Products

ISG Proxy

Issue/Introduction

When verifying the SSL certificate expiration date on Edge SWG appliance using the openssl s_client command, the output displays incorrect dates that do not match the certificates stored on the appliance.

For example, the following command returns false values for certificate validity:

echo | openssl s_client -servername <SG-FQDN> -connect <SG-FQDN>:443 | openssl x509 -text -noout

Environment

Edge SWG

Cause

The command is connecting to port 443, which may be associated with a different service (such as a forwarding or reverse proxy service) rather than the Management Console (HTTPS-Console) service.

Resolution

To retrieve the correct certificate information for the Management Console, you must specify the correct management port (typically 8082).

Review this command before running it:

echo | openssl s_client -servername <SG-FQDN> -connect <SG-FQDN>:8082 | openssl x509 -text -noout

Alternatively, the dates may be viewed from:

  1. Web Management Console
    1. Navigate to Configuration > SSL > Keyrings and look at the "Certificate Expiry" column to confirm the expiration date.
  2. CLI
    1. run the command:
      # show ssl keyring <keyring_name>
Powered by Wolken Software