The SSL certificates used on the Steelhead appliances, for the GUI, the SSL pre-optimization and for the SSL Secure Peering, have an expiry date on them. Once the SSL certificate has expired it cannot be used anymore.
Only when SSL Optimization is enabled, the expiry of the SSL
certificates is noticed in the health status of the device. The
list of expiring SSL certificates can be found with the command
show protocol ssl expiring-certs
.
Figure 5.217. SSL certificates have expired
SH # show protocol ssl Enabled: yes Protocol Versions: SSLv3_or_TLSv1 SFE Mode: Advanced_Only Mid Session SSL: no No server certificates. [...] SH # show alarms triggered Alarm ID: certs_expiring Alarm Description: SSL Certificates Expiring Status: error ------------------------------------- Alarm ID: health Alarm Description: Appliance Health Status: error ------------------------------------- Alarm ID: ssl Alarm Description: SSL Status: error ------------------------------------- SH # show protocol ssl expiring-certs Peering certificate is OK. All server certificates are OK. All server chain certificates are OK. Expiring/Expired CA certificate(s): Akamai_Subordinate_3 (on May 11 23:59:00 2013 GMT) Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068 (on Oct 24 22:00:00 2013 GMT) Digisign_Server_ID_Enrich (on Jul 17 15:16:55 2012 GMT) GlobalSign_Organization (on Jan 27 11:00:00 2014 GMT) Google_Internet (on Jun 7 19:43:27 2013 GMT) Microsoft_Code_Signing_PCA (on Aug 25 07:00:00 2012 GMT) All peering CA certificates are OK. All peering white list certificates are OK. All mobile trusts certificates are OK.
In the log files this will be shown as:
Figure 5.218. SSL alarm is being raised
SH alarmd[5547]: [alarmd.NOTICE]: Alarm 'certs_expiring' triggering SH alarmd[5547]: [alarmd.INFO]: Propagating changes for 1 alarms SH alarmd[5547]: [alarmd.NOTICE]: Alarm 'ssl' triggering SH alarmd[5547]: [alarmd.NOTICE]: Alarm 'health' triggering SH mgmtd[3544]: [mgmtd.INFO]: EVENT: /alarm/event/alarm/certs_expiring/triggered SH mgmtd[3544]: [mgmtd.INFO]: Expiring/Expired SSL certificate(s) detected. SH mgmtd[3544]: [mgmtd.INFO]: Expiring/Expired SSL certificate(s) have been detected. For \ more information, please check these pages: http://SH/mgmt/gui?p=setupServiceProtoco \ lsSSLMain http://SH/mgmt/gui?p=setupServiceProtocolsSSLPeering http://SH/mgmt/gui?p= \ setupServiceProtocolsSSLCAs or use the CLI command "show protocol ssl expiring-certs"
The expired SSL certificates can be removed via the GUI or CLI, depending on their roles:
Peering certificates: Under Configure -> Optimization -> Secure
Peering (SSL) you can regenerate the certificate. From the CLI:
secure-peering generate-cert rsa
Server certificates: Under Configure -> Optimization -> SSL Main
Settings you can update or remove the certificate. From the CLI:
no protocol ssl server-cert name <name>
Server chain certificates: From the CLI:
no protocol ssl server-cert name <name> chain-cert <name>
CA certificates: Under Configure -> Optimization -> Certifcate
Authorities you can remove the certificate. This list can be
large, sorting it on Expiration Date will help. From the CLI:
no protocol ssl ca <name>
Peering CA certificates: Under Configure -> Optimization -> Secure
Peering (SSL) under the Peering Trust you can remove the certificate.
From the CLI:
no secure-peering trust ca <name>
Peering white list certificates: Under Under Configure ->
Optimization -> Secure Peering (SSL) under the Self-Signed Peer
White List you can remove the certificate. From the CLI:
no secure-peering white-lst-peer <name>
Mobile trusts certificates: Under Under Configure ->
Optimization -> Secure Peering (SSL) under the Mobile Trust
certificate. From the CLI:
no secure-peering trust mobile <name>