IMAG CERT Command to get the certificate expiration for the components
Article ID: 72222
Updated On:
Products
CA Identity Manager
CA Identity Governance
CA Identity Portal
Issue/Introduction
Need the command to check the certificate expiration for the components mentioned below :
Provisioning Server
Provisioning Manager
Connector server
Connector Express
Provisioning Directory
CA Directory
Jboss
Provisioning Server
Provisioning Manager
Connector server
Connector Express
Provisioning Directory
CA Directory
Jboss
Environment
Release:
Component: IDMGR
Component: IDMGR
Resolution
Provisioning Server
=================
On each provisioning server, running the below command will show if the expiration date is Oct 6 '2017.
C:\Program Files (x86)\CA\Identity Manager\Provisioning Server\data\tls>..\..\bin\openssl x509 -enddate -noout -in et2_cacert.pem
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
notAfter=Oct 6 08:25:50 2017 GMT -> in this example, this means certificate expired on Oct 6'2017
Provisioning Manager
===================
Similar to the above command, except different "tls" folder:
C:\Program Files (x86)\CA\Identity Manager\Provisioning Manager\data\tls>..\..\bin\openssl x509 -enddate -noout -in et2_cacert.pem
Connector server and Connector Express
====================================
Run those two command for client and server certs:
keytool -list -v -alias eta2_client -keystore "<path to \CA\Identity Manager\Connector Server\jcs\conf>\ssl.keystore"
enter the JCS connector password when being prompted for the keystore password.
and
keytool -list -v -alias eta2_server -keystore "<path to \CA\Identity Manager\Connector Server\jcs\conf>\ssl.keystore"
enter the JCS connector password when being prompted for the keystore password.
In the output of those command, look for the line below:
Valid from: xxxxxxxxxx until: xxxxxx
Provisioning Directory and CA Directory
====================================
On the machines where the Provisioning Directory is installed, open a command prompt and run the command:
dxcertgen report
This command will list all the certificates and their validity dates. Expired certificates will be marked as invalid. Here is an example:
- <hostname>-impd-notify.pem -
certificate : 1
version : 3
serialNum : 311
issuer : /C=US/ST=NY/L=Islandia/O=Identity Management/OU=Provisioning Servi
ces
notBefore : Nov 28 18:26:00 2007 GMT
notAfter : Nov 25 18:26:00 2017 GMT
subject : /C=US/ST=NY/O=Identity Management/OU=Provisioning Services/CN=eta_
server
status : *** INVALID ***
- <hostname>-imps-router.pem -
certificate : 1
version : 3
serialNum : 311
issuer : /C=US/ST=NY/L=Islandia/O=Identity Management/OU=Provisioning Servi
ces
notBefore : Nov 28 18:26:00 2007 GMT
notAfter : Nov 25 18:26:00 2017 GMT
subject : /C=US/ST=NY/O=Identity Management/OU=Provisioning Services/CN=eta_
server
status : *** INVALID ***
If the certificates have not expired, take note of the notAfter date for future reference.
Jboss
=======
This is depends on two things:
a) If connection between IM and provisioning server is on SSL or non-SSL. If it is not SSL, then no need to check.
b) If it is on SSL, then how JBoss keystore is setup by the customer, i.e a dedicated keystore (which CA Support will not know where about it is) or a JDK default keystore.
By default, JBoss keystore is called cacerts in the JDK path where JBoss is pointing to, for example
keytool -list -v -alias <name of the provisioning root cert> -keystore "C:\Program Files\Java\jdk1.7.0_79\jre\lib\security\cacerts"
The default password for cacerts is "changeit" unless it has been changed by customer.
In the output, check the value in Valid from: xxxxxxxxxx until: xxxxxx
For the custom keystore, customer can use the same command above but replace the value for -keystore with appropriate path and name.
=========================
=================
On each provisioning server, running the below command will show if the expiration date is Oct 6 '2017.
C:\Program Files (x86)\CA\Identity Manager\Provisioning Server\data\tls>..\..\bin\openssl x509 -enddate -noout -in et2_cacert.pem
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
notAfter=Oct 6 08:25:50 2017 GMT -> in this example, this means certificate expired on Oct 6'2017
Provisioning Manager
===================
Similar to the above command, except different "tls" folder:
C:\Program Files (x86)\CA\Identity Manager\Provisioning Manager\data\tls>..\..\bin\openssl x509 -enddate -noout -in et2_cacert.pem
Connector server and Connector Express
====================================
Run those two command for client and server certs:
keytool -list -v -alias eta2_client -keystore "<path to \CA\Identity Manager\Connector Server\jcs\conf>\ssl.keystore"
enter the JCS connector password when being prompted for the keystore password.
and
keytool -list -v -alias eta2_server -keystore "<path to \CA\Identity Manager\Connector Server\jcs\conf>\ssl.keystore"
enter the JCS connector password when being prompted for the keystore password.
In the output of those command, look for the line below:
Valid from: xxxxxxxxxx until: xxxxxx
Provisioning Directory and CA Directory
====================================
On the machines where the Provisioning Directory is installed, open a command prompt and run the command:
dxcertgen report
This command will list all the certificates and their validity dates. Expired certificates will be marked as invalid. Here is an example:
- <hostname>-impd-notify.pem -
certificate : 1
version : 3
serialNum : 311
issuer : /C=US/ST=NY/L=Islandia/O=Identity Management/OU=Provisioning Servi
ces
notBefore : Nov 28 18:26:00 2007 GMT
notAfter : Nov 25 18:26:00 2017 GMT
subject : /C=US/ST=NY/O=Identity Management/OU=Provisioning Services/CN=eta_
server
status : *** INVALID ***
- <hostname>-imps-router.pem -
certificate : 1
version : 3
serialNum : 311
issuer : /C=US/ST=NY/L=Islandia/O=Identity Management/OU=Provisioning Servi
ces
notBefore : Nov 28 18:26:00 2007 GMT
notAfter : Nov 25 18:26:00 2017 GMT
subject : /C=US/ST=NY/O=Identity Management/OU=Provisioning Services/CN=eta_
server
status : *** INVALID ***
If the certificates have not expired, take note of the notAfter date for future reference.
Jboss
=======
This is depends on two things:
a) If connection between IM and provisioning server is on SSL or non-SSL. If it is not SSL, then no need to check.
b) If it is on SSL, then how JBoss keystore is setup by the customer, i.e a dedicated keystore (which CA Support will not know where about it is) or a JDK default keystore.
By default, JBoss keystore is called cacerts in the JDK path where JBoss is pointing to, for example
keytool -list -v -alias <name of the provisioning root cert> -keystore "C:\Program Files\Java\jdk1.7.0_79\jre\lib\security\cacerts"
The default password for cacerts is "changeit" unless it has been changed by customer.
In the output, check the value in Valid from: xxxxxxxxxx until: xxxxxx
For the custom keystore, customer can use the same command above but replace the value for -keystore with appropriate path and name.
=========================
Feedback
Yes
No
Powered by
