Certificate Expiration

Introduction

This document provides information/pointers regarding monitoring certificates and CRLs (Certificate Revocation Lists) for expiration. Depending on the specific setup, typically the following need to be monitored for expiration:

• Proxy certificate (example: /tmp/x509up_u41590)
• hostcert.pem (example: /etc/grid-security/hostcert.pem)
• containercert.pem (GT4 only)
• CAs (example: /etc/grid-security/certificates/*.[0-9])
• CRLs (example: /etc/grid-security/certificates/*.r[0-9])

Standard Method

OpenSSL provides a utility to retrieve the end date or check for the expiration of a given certificate.

The following command will show the expiration date of a given certificate.

$ openssl x509 -in /tmp/x509up_u41590 -enddate -noout

notAfter=Jan 20 03:18:53 2011 GMT

$

The following command will exit with a code of 1 if a certificate will expire in a given number of seconds. It will exit with a return code of 0 otherwise.

$ openssl x509 -in /tmp/x509up_u41590 -checkend 8000

Certificate will not expire

$ echo $?

0

$ openssl x509 -in /tmp/x509up_u41590 -checkend 80000000

Certificate will expire

$ echo $?

1

$ date

Wed Jan 19 09:24:49 CST 2011

$

The following command will show the nextupdate date value of a CRL:

$ openssl crl -noout -in /etc/grid-security/certificates/95009ddc.r0 -nextupdate

nextUpdate=Jan 19 23:00:03 2011 GMT

$

The following perl script can be run from within a cron job to monitor the certificates and CRLs for expiration. Please modify the values for the variables at the top for your specific setup.

#!/usr/bin/env perl

use strict;

use warnings;

use Date::Parse;

# MODIFY THE BELOW FOR YOUR SITE.

#*****************************************

# Certificates to be checked

my @certs = < /tmp/x509up_u502 /etc/grid-security/hostcert.pem /etc/grid-security/certificates/*.[0-9] >;

# Uncomment below statement if no certificates are to be checked

#my @certs;

# CRLs to be checked

my @crls = < /etc/grid-security/certificates/*.r[0-9] >;

# Uncomment below statement if NO CRLs are to be checked

#my @crls;

# Where should warning emails go?

my $adminEmail = "root\@localhost";

# Minimum validity period to check for

my $minCertdays = 100;

my $minCrldays = 5;

#*****************************************

# Certificates

foreach my $file (@certs) {

   print "PROCESSING CERTIFICATE FILE: $file\n";

   my $enddate = `openssl x509 -enddate -in $file -noout`;$enddate =~ s/notAfter=//g;

   my $end = str2time($enddate);

   my $daysleft = ($end - time())/86400;

   my $issuer = `openssl x509 -issuer -in $file -noout`;$issuer =~ s/issuer=//g;

   if($daysleft < $minCertdays) {

     my $msg = "$file expires/expired in ".int($daysleft)." days\n" .

               "on $enddate\n" .

               "Please contact the CA $issuer for renewing the certificate.\n" .

               "\n" .

               "NOTE: You can check the contents of this certificate by running\n" .

               "'openssl x509 -text -noout -in $file'\n\n" .

               "If applicable, MyProxy renewal may be used. Please refer to\n" .

               "http://grid.ncsa.illinois.edu/myproxy/renew.html\n" .

               "for more information.\n";

     system("echo \"$msg\" | mail -s \"Certificate Expiration Warning\" $adminEmail");

   }

}

# CRLs

foreach my $file (@crls) {

   print "PROCESSING CRL FILE: $file\n";

   my $enddate = `openssl crl -nextupdate -in $file -noout`;$enddate =~ s/nextUpdate=//g;

   my $issuer = `openssl crl -issuer -in $file -noout`;$enddate =~ s/issuer=//g;

   my $end = str2time($enddate);

   my $daysleft = ($end - time())/86400;

   if($daysleft < $minCrldays) {

     my $msg = "$file expires/expired in ".int($daysleft)." days\n" .

               "on $enddate\n" .

               "Please refresh the CRL issued by $issuer.\n" .

               "\n" .

               "NOTE: You can check the contents of this crl by running\n" .

               "'openssl crl -text -noout -in $file'\n\n" .

               "For periodic updates of CRLs, fetch-crl may be used.\n" .

               "For more information, please refer to\n" .

               "http://vdt.cs.wisc.edu/components/fetch-crl.html\n";

     system("echo \"$msg\" | mail -s \"CRL Expiration Warning\" $adminEmail");

   }

}

Other Utilities

Globus Toolkit

Globus Toolkit provides a grid-cert-diagnostics utility that will print diagnostic information about Globus Toolkit-related certificates and keys on a system installed with Globus Toolkit. It also provides a grid-proxy-info utility that can be used to check for the validity of the default proxy certificate for a given period of time. Please see the man page for grid-cert-diagnostics and grid-proxy-info for details.

certwatch

This utility is available on some systems. Apache uses it in conjunction with a cron job to monitor SSL-certificates and to generate an email if they are found to have expired. From certwatch(1):

The program has two modes of operation: normal mode and quiet mode. In

normal mode, the certificate given by the filename argument is

examined, and a warning email is issued to standard output if the

certificate is outside its validity period, or approaching expiry. If

the certificate cannot be found, or any errors occur whilst parsing the

certificate, the certificate is ignored and no output is produced. In

quiet mode, no output is given, but the exit status can still be used.

ssl-cert-check

This is another utility that's available here. Please refer to that page for information of how to use it.

Inca

As part of a comprehensive set of checks to detect "Grid infrastructure problems by executing periodic, automated, user-level testing of Grid software and services", Inca also provides "reporters" that monitor certificates. Two reporters of interest are:

http://inca.sdsc.edu/repository/latest/cgi-bin/reporters.cgi?action=help&reporter=security.hostcert.unit

http://inca.sdsc.edu/repository/latest/cgi-bin/reporters.cgi?action=help&reporter=security.ca.unit

For more information see http://inca.sdsc.edu/.

TeraGrid uses Inca and this page shows results of Inca tests for Teragrid.

Miscellaneous

Other checks of interest

• hostcert.pem and hostkey.pem match
• hostkey.pem permissions are correct
• hostcert.pem subject matches hostname
• CRLs up-to-date
• grid-mapfile (or VOMS/GUMS) up-to-date
• CAs installed for all grid-mapfile (or VOMS/GUMS) entries
• NTP is running and the system clock is accurate

OSG uses the following checks:

https://twiki.grid.iu.edu/bin/view/Security/RSVSecurityProbesPhase3V2

Credential renewal with MyProxy

When your certificate nears expiration, you will typically need to renew it by contacting the Certification Authority (CA) that issued it and following the CA's procedure. MyProxy also provides support for automated renewal of certificates.

Simplifying your PKI

Some ideas on minimizing the maintenance requirements of PKI for low level of assurance scenarios:

• long-lived certificates
• no CRLs
• certificates and keys automatically generated at install time
• avoid adding/removing CAs (i.e., pre-installed long-lived CA certificates, etc.)
• avoid access control list (for example, Globus grid-mapfile) changes (i.e., small number of pre-defined trusted client subjects)