09-20-2017 03:13 PM - edited 03-17-2019 11:12 AM
Does anyone have any bright ideas on how to get proactive alerts prior to certificates expiring. on things like CUCM, CUPS, conductor, VCS etc.
so what I am after is for instance an email alert, alerting the sys admins, say, 1 month in advance that a security certificate is about to expire, so a new one can be uploaded in a controlled manner, rather that the cert expiring and breaking TLS on trunks for instance.
Please note that these are for certs that are internally signed, so I cant to for instance rapidSSL cert tracking
Guaranteed rating on anyone with a meaningful answer
09-20-2017 03:57 PM
CUCM and other products that share the same blueprint already do that
Certificates should be regenerated before they expire. When the certificates are about to expire you will receive warnings in RTMT (Syslog Viewer) and an email with notification will be sent if configured.
09-20-2017 06:01 PM - edited 09-20-2017 06:03 PM
You can also set up CertMon, I cant remember the exact name right now, but you view it from the same place where you do other cert steps.
If i remember right this allows you to setup a point at which you get an "early warning" on an upcoming expiring date.
Just looked it up...it is called Certificate Monitor and here is how you set it up.
Use this procedure to configure your system to automatically send you an email message when a certificate is close to its expiration date.
Procedure
Step 1 | From Cisco Unified OS Administration, choose Security > Certificate Monitor. |
Step 2 | In the Notification Start Time, enter a numeric value. This value is the number of days before you receive a notification through email. |
Step 3 | In the Notification Frequency, enter a numeric value and choose Days or Hours. |
Step 4 | (Optional)Check Enable E-mail notification, and then enter email addresses in the E-mail IDs field. |
Step 5 | Click Save. |
09-20-2017 07:33 PM
09-20-2017 06:23 PM
We use PRTG for monitoring, and it includes an SSL sensor that monitors certificate age.
02-04-2020 02:59 PM
If you're still watching this thread... can you please tell me what IP/URL you point PRTG to so you can monitor certs?
The certificates presented for the web administration consoles are not the same certificates used for Jabber for example, and I haven't been able to find what IP/port to point a PRTG SSL sensor to so I can monitor the tomcat cert.
05-15-2020 08:32 AM
wilson,
Did you figure it out? I need a way to list all CUCM cert expiration dates. I have AXL working, but I don't find a 'get cert list' or anything similar. I was hoping there was a way with CLI or even SQL. Too many to do via GUI.
thanks
05-15-2020 10:18 AM
For CVOS systems you can setup notification in OS admin webUI for certificate expiration.
05-15-2020 11:27 AM
I really need a way to put all the certs from my 50 nodes into one big spreadsheet so I can sort by the upcoming expiration dates. So I was looking for AXL or CLI or even SQL, as I can script that. I start it, go do something else for 20 minutes, come back and import the list.
I found a way to do it in CLI but it's messy and needs a bunch of tweaking. If SQL can list them out with exp dates that would be a nice improvement. Or if AXL could pull a list with dates that would be the easiest. Hey can AXL run SQL queries? I think I heard that it can....
Any ideas for how to capture this list?
05-15-2020 11:52 AM
There are two variants of AXL, thick and thin. Doing SQL queries would be thin.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide