Objective
This article describes how to handle certificate expiry on Citrix ADC.
Instructions
An “Expiry Monitor” configured on the ADC appliance creates entries in the appliance's syslog and nsaudit logs at midnight when a certificate configured on the appliance is due to expire. And the expiry event only log Once.
There are two ways to monitor certificate expiry.1. Using “Notify When Expires” option in ADC
Step1: Traffic Management -> SSL -> Certificates ->Select the certificate and click Update
Step2: Select Notify When Expires, and specify a notification period (number of days) and click ok.
Selecting “Notify when Expires” option enables the “Expiry Monitor” which is associated with SSL- Cert-Expiry SNMP trap. Enabling this option on the NetScaler appliance creates entries in the appliance's syslog and nsaudit logs when a certificate configured on the appliance is due to expire. By default the location of these logs is /var/log/ns.log.
Example:
root@ns# grep sslCertificateExpiry /var/log/ns.log
Jan 17 00:00:41 <local0.info> 192.168.180.139 01/16/2018:16:00:41 GMT ns 0-PPE-0 : default SNMP TRAP_SENT 259058 0 : sslCertificateExpiry (sslCertKeyName.kgs = "kgs", sslDaysToExpire.kgs = 100, nsPartitionName = default)
To enable an expiry monitor for a certificate by using the command line interface At the command prompt, type
- set ssl certKey <certkeyName> [-expiryMonitor ENABLED] [- notificationPeriod <positive_integer>]
- sh ssl certKey
Tips, if you just would like to test sslCertificateExpiry function by changing date, please remember to reboot device by ">reboot - warm", afterwards don't reboot anymore and waiting for snmp trap sent at next expiry day 00:00 .
2. Using “Notification Settings” option on ADM
For setting up notification using ADM follow the steps mentioned here .
Additional Resources
Create Certificate Signing Request: CTX211887
For instructions on how to updates an existing SSL certificate click here
Background
An SSL certificate is valid for a specific period of time. A typical deployment includes multiple virtual servers that process SSL transactions, and the certificates bound to them can expire at different times. SSL Certificates are important to a server to maintain the confidentiality of data and also company’s reputation and credibility can be damaged when users encounter a website with an expired SSL certificate. Thus it becomes critical to monitor the expiry of certificates and keep them up to date.