cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
6964
Views
25
Helpful
9
Replies
Dennis Mink
Advisor

Certificate expiration warnings

Does anyone have any bright ideas on how to get proactive alerts prior to certificates expiring. on things like CUCM, CUPS, conductor, VCS etc.

 

so what I am after is for instance an email alert, alerting the sys admins, say, 1 month in advance that a security certificate is about to expire, so a new one can be uploaded in a controlled manner, rather that the cert expiring and breaking TLS on trunks for instance.

 

Please note that these are for certs that are internally signed, so I cant to for instance rapidSSL cert tracking

 

Guaranteed  rating on anyone with a meaningful answer

Please remember to rate useful posts, by clicking on the stars below.

9 REPLIES 9
Jaime Valencia
Hall of Fame Cisco Employee

CUCM and other products that share the same blueprint already do that

 

Certificates should be regenerated before they expire. When the certificates are about to expire you will receive warnings in RTMT (Syslog Viewer) and an email with notification will be sent if configured.

https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/200199-CUCM-Certificate-Regeneration-Renewal-Pr.html

HTH

java

if this helps, please rate

You can also set up CertMon, I cant remember the exact name right now, but you view it from the same place where you do other cert steps. 

 

If i remember right this allows you to setup a point at which you get an "early warning" on an upcoming expiring date. 

 

Just looked it up...it is called Certificate Monitor and here is how you set it up. 

 

Monitor Certificate Expiration

Use this procedure to configure your system to automatically send you an email message when a certificate is close to its expiration date.

Procedure


Step 1  From Cisco Unified OS Administration, choose Security > Certificate Monitor.
Step 2  In the Notification Start Time, enter a numeric value. This value is the number of days before you receive a notification through email.
Step 3  In the Notification Frequency, enter a numeric value and choose Days or Hours.
Step 4  (Optional)Check Enable E-mail notification, and then enter email addresses in the E-mail IDs field.
Step 5  Click Save.

OP this is what you want to do. Caveat being, you also need to configure SMTP in UCM for this to work, but it is the best built-in way to alert on expiring certs.
Philip D'Ath
Advisor

We use PRTG for monitoring, and it includes an SSL sensor that monitors certificate age.

https://www.paessler.com/prtg

If you're still watching this thread... can you please tell me what IP/URL you point PRTG to so you can monitor  certs?

 

The certificates presented for the web administration consoles are not the same certificates used for Jabber for example, and I haven't been able to find what IP/port to point a PRTG SSL sensor to so I can monitor the tomcat cert.

wilson,

 

Did you figure it out?  I need a way to list all CUCM cert expiration dates.  I have AXL working, but I don't find a 'get cert list' or anything similar.  I was hoping there was a way with CLI or even SQL.  Too many to do via GUI. 

 

thanks

Roger Kallberg
VIP Mentor

For CVOS systems you can setup notification in OS admin webUI for certificate expiration.



Response Signature


I really need a way to put all the certs from my 50 nodes into one big spreadsheet so I can sort by the upcoming expiration dates.  So I was looking for AXL or CLI or even SQL, as I can script that.  I start it, go do something else for 20 minutes, come back and import the list. 

 

I found a way to do it in CLI but it's messy and needs a bunch of tweaking.  If SQL can list them out with exp dates that would be a nice improvement.  Or if AXL could pull a list with dates that would be the easiest.  Hey can AXL run SQL queries?  I think I heard that it can....

 

Any ideas for how to capture this list?

There are two variants of AXL, thick and thin. Doing SQL queries would be thin.



Response Signature