How to determine an SIC Certificate's expiration date
SIC certificates can be viewed in the Internal CA Management Tool on the Security Management Server / Domain Management Server:
Follow the steps in sk30501 - Setting up the ICA Management Tool and in sk39915 - Invoking the ICA Management Tool.
SIC certificates can be viewed on the Command Line by running the following command on the Security Management Server / Domain Management Server:
[Expert@HostName_MGMT:0]# cpca_client [-d] lscert -kind SIC [-stat Pending|Valid|Revoked|Expired|Renewed] [-dn <SubString>] [-ser <Serial_Number>] [-dp <DP_Number>]
Note: On Provider-1 / Multi-Domain Security Management Server, this command should be run in the context of the relevant Domain Management Server.
Argument |
Description |
-d |
Run under debug. Output is printed to the current terminal. The entire output can be redirected to a file. |
-kind <Cert_KIND> |
Filters results for specified kind: SIC, IKE, User, or LDAP. |
-stat <Status> |
Filters results for specified status: Pending, Valid, Revoked, Expired, or Renewed. |
-dn <SubString> |
Filters results to those with a DN that matches the given SubString. |
-ser <Serial_Number> |
Filters results for the given serial number. |
-dp <DP_Number> |
Filters results from the given CDP. |
Notes:
-
The cpca_client lscert command works only on R65 HFA_50 and above.
-
To check only the SIC certificate of the Security Management Server / Domain Management Server itself:
[Expert@HostName_MGMT:0]# cpca_client lscert -kind SIC | grep -A 2 "CN=cp_mgmt,"
-
A SIC Certificate is valid for 5 years from its creation. At the 75% threshold, it will be renewed automatically.
-
Currently, there is no SNMP OID that can be queried to check the SIC Certificate expiration date (as a result, there is also no such SNMP Trap).
The administrator can extend the SNMP by using the relevant shell script to execute the above command.
Refer to sk90860 - How to configure SNMP on Gaia OS - section "(IV-6) Advanced SNMP configuration - Extend SNMP with shell script"
-
The command "fwm printcert -ca internal_ca
" can be used for displaying the CA signing certificate details.
Example outputs:
-
To check only the SIC certificate of the Security Management Server / Domain Management Server itself:
[Expert@HostName_MGMT:0]# cpca_client lscert -kind SIC | grep -A 2 "CN=cp_mgmt,"
Subject = CN=cp_mgmt,O=MGMT..yosa26
Status = Valid Kind = SIC Serial = 39561 DP = 0
Not_Before: Tue Oct 13 10:33:09 2015 Not_After: Mon Oct 12 10:33:09 2020
[Expert@mgmt:0]#
-
To check all the SIC certificates on the Security Management Server / Domain Management Server
[Expert@HostName_MGMT:0]# cpca_client lscert -kind SIC
Operation succeeded. rc=0.
4 certs found.
Subject = CN=mgmt,O=mgmt..bbqdkc
Status = Valid Kind = SIC Serial = 37748 DP = 0
Not_Before: Sun Apr 3 09:50:11 2011 Not_After: Sat Apr 2 09:50:11 2016
Subject = CN=cp_mgmt,O=mgmt..bbqdkc
Status = Valid Kind = SIC Serial = 42070 DP = 0
Not_Before: Sun Apr 3 09:50:06 2011 Not_After: Sat Apr 2 09:50:06 2016
Subject = CN=gw,O=mgmt..bbqdkc
Status = Valid Kind = SIC Serial = 10659 DP = 0
Not_Before: Wed Apr 20 23:42:35 2011 Not_After: Tue Apr 19 23:42:35 2016
Subject = CN=gw,O=mgmt..bbqdkc
Status = Revoked Kind = SIC Serial = 8013 DP = 0
Not_Before: Sun Apr 3 10:28:55 2011 Not_After: Sat Apr 2 10:28:55 2016
Related documentation:
Related solutions: