Support Center > Search Results > SecureKnowledge Details
How to determine an SIC Certificate's expiration date
Solution

SIC certificates can be viewed in the Internal CA Management Tool on the Security Management Server / Domain Management Server:

Follow the steps in sk30501 - Setting up the ICA Management Tool and in sk39915 - Invoking the ICA Management Tool.

 

SIC certificates can be viewed on the Command Line by running the following command on the Security Management Server / Domain Management Server:

[Expert@HostName_MGMT:0]# cpca_client [-d] lscert -kind SIC [-stat Pending|Valid|Revoked|Expired|Renewed] [-dn <SubString>] [-ser <Serial_Number>] [-dp <DP_Number>]

Note: On Provider-1 / Multi-Domain Security Management Server, this command should be run in the context of the relevant Domain Management Server.

Argument Description
-d Run under debug. Output is printed to the current terminal. The entire output can be redirected to a file.
-kind <Cert_KIND> Filters results for specified kind: SIC, IKE, User, or LDAP.
-stat <Status> Filters results for specified status: Pending, Valid, Revoked, Expired, or Renewed.
-dn <SubString> Filters results to those with a DN that matches the given SubString.
-ser <Serial_Number> Filters results for the given serial number.
-dp <DP_Number> Filters results from the given CDP.

 

Notes:

  • The cpca_client lscert command works only on R65 HFA_50 and above.

  • To check only the SIC certificate of the Security Management Server / Domain Management Server itself:

    [Expert@HostName_MGMT:0]# cpca_client lscert -kind SIC | grep -A 2 "CN=cp_mgmt,"

  • A SIC Certificate is valid for 5 years from its creation. At the 75% threshold, it will be renewed automatically.

  • Currently, there is no SNMP OID that can be queried to check the SIC Certificate expiration date (as a result, there is also no such SNMP Trap).
    The administrator can extend the SNMP by using the relevant shell script to execute the above command.
    Refer to sk90860 - How to configure SNMP on Gaia OS - section "(IV-6) Advanced SNMP configuration - Extend SNMP with shell script"

  • The command "fwm printcert -ca internal_ca" can be used for displaying the CA signing certificate details.

 

Example outputs:

  • To check only the SIC certificate of the Security Management Server / Domain Management Server itself:

    [Expert@HostName_MGMT:0]# cpca_client lscert -kind SIC | grep -A 2 "CN=cp_mgmt,"
Subject = CN=cp_mgmt,O=MGMT..yosa26
Status = Valid   Kind = SIC   Serial = 39561   DP = 0
Not_Before: Tue Oct 13 10:33:09 2015   Not_After: Mon Oct 12 10:33:09 2020
[Expert@mgmt:0]#

  • To check all the SIC certificates on the Security Management Server / Domain Management Server

    [Expert@HostName_MGMT:0]# cpca_client lscert -kind SIC
Operation succeeded. rc=0.
4 certs found.

Subject = CN=mgmt,O=mgmt..bbqdkc
Status = Valid   Kind = SIC   Serial = 37748   DP = 0
Not_Before: Sun Apr  3 09:50:11 2011   Not_After: Sat Apr  2 09:50:11 2016

Subject = CN=cp_mgmt,O=mgmt..bbqdkc
Status = Valid   Kind = SIC   Serial = 42070   DP = 0
Not_Before: Sun Apr  3 09:50:06 2011   Not_After: Sat Apr  2 09:50:06 2016

Subject = CN=gw,O=mgmt..bbqdkc
Status = Valid   Kind = SIC   Serial = 10659   DP = 0
Not_Before: Wed Apr  20 23:42:35 2011   Not_After: Tue Apr  19 23:42:35 2016

Subject = CN=gw,O=mgmt..bbqdkc
Status = Revoked   Kind = SIC   Serial = 8013   DP = 0
Not_Before: Sun Apr  3 10:28:55 2011   Not_After: Sat Apr  2 10:28:55 2016

 

Related documentation:

 

Related solutions:

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment