How to configure SNMP trap for Cert-Expiry Notification

book

Article ID: CTX205330

calendar_today

Updated On:

Description

SNMP trap should be generated by netscaler when cert expiry notification is reached. This trap should be sent to SNMP receiver/client so that network admin is notified that installed certificate is about to get expired.

Instructions

Netscaler configuration for this is as below:

add snmp trap generic <SNMP Client/trap receiver IP address> -communityName <...>

set snmp option -snmpTrapLogging ENABLED
set snmp alarm SSl-CERT-EXPIRY -logging ENABLED

In above configuration community name should be same as one specified on SNMP trap receiver.

When SNMP trap is sent:

case 1: When certificate being installed is already in expiry notification period:

when certificate being uploaded is already in its expiry notification period then trap is sent as soon as command is run.

For Example: If certificate is getting expired on 30/9/2015 and notification period is set as 15 days as below:

add ssl certkey rsa_1 -cert rsa_c -key rsa_k -notificationPeriod 15 -expiryMonitor ENABLED

Now if above command is run after 16th Sep 2015 than we will see trap generated as soon as command is executed.

Case 2: When Certificate being installed is not in expiry notification period:

When Certificate being uploaded is not in it notification period then we will see SNMP trap is generated at midnight after notification period is crossed.

For example: If certificate is getting expired on 30/9/2015 and notification period is set as 15 days as below:

add ssl certkey rsa_1 -cert rsa_c -key rsa_k -notificationPeriod 15 -expiryMonitor ENABLED

If above command is run before 16th sep i.e say on 14th Sep than we will see Trap generated at midnight of 16th sep(at 0000 hours between 16th and 17th Sep). Notification expiry will be some time during 16th Sep.

Issue/Introduction

This article provides configuration to configure SNMP trap to be generated when certificate expiry notification period is reached

Additional Information

Some FAQ:

1. How can we check current notification period of SSL certificate and other details?
ANS: You can use show SSL certkey command whose output will be as below:

Name: test.cer

Cert Path: /nsconfig/ssl/ROOT-CA-CERTIFICATE.cer

Format: PEM

Status: Valid, Days to expiration:19

Certificate Expiry Monitor: ENABLED

Expiry Notification period: 15 days

Done

2. Do we get any event logs on netscaler when trap is generated?

ANS: Once trap is generated we will see below event in ns.log:

Oct 4 19:00:01 <local0.notice> A.B.C.D 10/04/2015:23:00:01 GMT GLEEXTLB02 0-PPE-0 : SSLLOG SSL_CERT_EXPIRY_IMMINENT 153 0 : CertificateKeyPair test.cer - DaysToExpire 12

Oct 4 19:00:01 <local0.info> A.B.C.D 10/04/2015:23:00:01 GMT GLEEXTLB02 0-PPE-0 : SNMP TRAP_SENT 154 0 : sslCertificateExpiry (sslCertKeyName.test.cer = "test.cer", sslDaysToExpire.test.cer = 12, sysIpAddress = A.B.C.D)

Was this article helpful?

thumb_up Yes

thumb_down No

Welcome to "KB Articles"