This document provides information/pointers regarding monitoring certificates and CRLs (Certificate Revocation Lists) for expiration. Depending on the specific setup, typically the following need to be monitored for expiration:
OpenSSL provides a utility to retrieve the end date or check for the expiration of a given certificate.
The following command will show the expiration date of a given certificate.
The following command will exit with a code of 1 if a certificate will expire in a given number of seconds. It will exit with a return code of 0 otherwise.
The following command will show the nextupdate date value of a CRL:
The following perl script can be run from within a cron job to monitor the certificates and CRLs for expiration. Please modify the values for the variables at the top for your specific setup.
Globus Toolkit provides a
This utility is available on some systems. Apache uses it in conjunction with a cron job to monitor SSL-certificates and to generate an email if they are found to have expired. From certwatch(1):
The program has two modes of operation: normal mode and quiet mode. In
normal mode, the certificate given by the filename argument is
examined, and a warning email is issued to standard output if the
certificate is outside its validity period, or approaching expiry. If
the certificate cannot be found, or any errors occur whilst parsing the
certificate, the certificate is ignored and no output is produced. In
quiet mode, no output is given, but the exit status can still be used.
This is another utility that's available here. Please refer to that page for information of how to use it.
As part of a comprehensive set of checks to detect "Grid infrastructure problems by executing periodic, automated, user-level testing of Grid software and services", Inca also provides "reporters" that monitor certificates. Two reporters of interest are:
For more information see http://inca.sdsc.edu/.
OSG uses the following checks:
MyProxy also provides support for automated renewal of certificates.
Some ideas on minimizing the maintenance requirements of PKI for low level of assurance scenarios: