Certificate Expiration
Introduction
This document provides information/pointers regarding monitoring certificates and CRLs (Certificate Revocation Lists) for expiration. Depending on the specific setup, typically the following need to be monitored for expiration:
- Proxy certificate (example: /tmp/x509up_u41590)
- hostcert.pem (example: /etc/grid-security/hostcert.pem)
- containercert.pem (GT4 only)
- CAs (example: /etc/grid-security/certificates/*.[0-9])
- CRLs (example: /etc/grid-security/certificates/*.r[0-9])
Standard Method
OpenSSL provides a utility to retrieve the end date or check for the expiration of a given certificate.
The following command will show the expiration date of a given certificate.
$ openssl x509 -in /tmp/x509up_u41590 -enddate -noout
notAfter=Jan 20 03:18:53 2011 GMT
$
The following command will exit with a code of 1 if a certificate will expire in a given number of seconds. It will exit with a return code of 0 otherwise.
$ openssl x509 -in /tmp/x509up_u41590 -checkend 8000
Certificate will not expire
$ echo $?
0
$ openssl x509 -in /tmp/x509up_u41590 -checkend 80000000
Certificate will expire
$ echo $?
1
$ date
Wed Jan 19 09:24:49 CST 2011
$
The following command will show the nextupdate date value of a CRL:
$ openssl crl -noout -in /etc/grid-security/certificates/95009ddc.r0 -nextupdate
nextUpdate=Jan 19 23:00:03 2011 GMT
$
The following perl script can be run from within a cron job to monitor the certificates and CRLs for expiration. Please modify the values for the variables at the top for your specific setup.
#!/usr/bin/env perl
use strict;
use warnings;
use Date::Parse;
# MODIFY THE BELOW FOR YOUR SITE.
#*****************************************
# Certificates to be checked
my @certs = < /tmp/x509up_u502 /etc/grid-security/hostcert.pem /etc/grid-security/certificates/*.[0-9] >;
# Uncomment below statement if no certificates are to be checked
#my @certs;
# CRLs to be checked
my @crls = < /etc/grid-security/certificates/*.r[0-9] >;
# Uncomment below statement if NO CRLs are to be checked
#my @crls;
# Where should warning emails go?
my $adminEmail = "root\@localhost";
# Minimum validity period to check for
my $minCertdays = 100;
my $minCrldays = 5;
#*****************************************
# Certificates
foreach my $file (@certs) {
print "PROCESSING CERTIFICATE FILE: $file\n";
my $enddate = `openssl x509 -enddate -in $file -noout`;$enddate =~ s/notAfter=//g;
my $end = str2time($enddate);
my $daysleft = ($end - time())/86400;
my $issuer = `openssl x509 -issuer -in $file -noout`;$issuer =~ s/issuer=//g;
if($daysleft < $minCertdays) {
my $msg = "$file expires/expired in ".int($daysleft)." days\n" .
"on $enddate\n" .
"Please contact the CA $issuer for renewing the certificate.\n" .
"\n" .
"NOTE: You can check the contents of this certificate by running\n" .
"'openssl x509 -text -noout -in $file'\n\n" .
"If applicable, MyProxy renewal may be used. Please refer to\n" .
"http://grid.ncsa.illinois.edu/myproxy/renew.html\n" .
"for more information.\n";
system("echo \"$msg\" | mail -s \"Certificate Expiration Warning\" $adminEmail");
}
}
# CRLs
foreach my $file (@crls) {
print "PROCESSING CRL FILE: $file\n";
my $enddate = `openssl crl -nextupdate -in $file -noout`;$enddate =~ s/nextUpdate=//g;
my $issuer = `openssl crl -issuer -in $file -noout`;$enddate =~ s/issuer=//g;
my $end = str2time($enddate);
my $daysleft = ($end - time())/86400;
if($daysleft < $minCrldays) {
my $msg = "$file expires/expired in ".int($daysleft)." days\n" .
"on $enddate\n" .
"Please refresh the CRL issued by $issuer.\n" .
"\n" .
"NOTE: You can check the contents of this crl by running\n" .
"'openssl crl -text -noout -in $file'\n\n" .
"For periodic updates of CRLs, fetch-crl may be used.\n" .
"For more information, please refer to\n" .
"http://vdt.cs.wisc.edu/components/fetch-crl.html\n";
system("echo \"$msg\" | mail -s \"CRL Expiration Warning\" $adminEmail");
}
}
Other Utilities
Globus Toolkit
Globus Toolkit provides a grid-cert-diagnostics
utility that will print diagnostic information about Globus Toolkit-related certificates and keys on a system installed with Globus Toolkit. It also provides a grid-proxy-info
utility that can be used to check for the validity of the default proxy certificate for a given period of time. Please see the man page for grid-cert-diagnostics
and grid-proxy-info
for details.
certwatch
This utility is available on some systems. Apache uses it in conjunction with a cron job to monitor SSL-certificates and to generate an email if they are found to have expired. From certwatch(1):
The program has two modes of operation: normal mode and quiet mode. In
normal mode, the certificate given by the filename argument is
examined, and a warning email is issued to standard output if the
certificate is outside its validity period, or approaching expiry. If
the certificate cannot be found, or any errors occur whilst parsing the
certificate, the certificate is ignored and no output is produced. In
quiet mode, no output is given, but the exit status can still be used.
ssl-cert-check
This is another utility that's available here. Please refer to that page for information of how to use it.
Inca
As part of a comprehensive set of checks to detect "Grid infrastructure problems by executing periodic, automated, user-level testing of Grid software and services", Inca also provides "reporters" that monitor certificates. Two reporters of interest are:
http://inca.sdsc.edu/repository/latest/cgi-bin/reporters.cgi?action=help&reporter=security.ca.unit
For more information see http://inca.sdsc.edu/.
TeraGrid uses Inca and this page shows results of Inca tests for Teragrid.
Miscellaneous
Other checks of interest
- hostcert.pem and hostkey.pem match
- hostkey.pem permissions are correct
- hostcert.pem subject matches hostname
- CRLs up-to-date
- grid-mapfile (or VOMS/GUMS) up-to-date
- CAs installed for all grid-mapfile (or VOMS/GUMS) entries
- NTP is running and the system clock is accurate
OSG uses the following checks:
https://twiki.grid.iu.edu/bin/view/Security/RSVSecurityProbesPhase3V2
Credential renewal with MyProxy
When your certificate nears expiration, you will typically need to renew it by contacting the Certification Authority (CA) that issued it and following the CA's procedure. MyProxy also provides support for automated renewal of certificates.
Simplifying your PKI
Some ideas on minimizing the maintenance requirements of PKI for low level of assurance scenarios:
- long-lived certificates
- no CRLs
- certificates and keys automatically generated at install time
- avoid adding/removing CAs (i.e., pre-installed long-lived CA certificates, etc.)
- avoid access control list (for example, Globus grid-mapfile) changes (i.e., small number of pre-defined trusted client subjects)