5.31. Expiring SSL certificates

The SSL certificates used on the Steelhead appliances, for the GUI, the SSL pre-optimization and for the SSL Secure Peering, have an expiry date on them. Once the SSL certificate has expired it cannot be used anymore.

Only when SSL Optimization is enabled, the expiry of the SSL certificates is noticed in the health status of the device. The list of expiring SSL certificates can be found with the command show protocol ssl expiring-certs.

Figure 5.217. SSL certificates have expired

SH # show protocol ssl
Enabled: yes
Protocol Versions: SSLv3_or_TLSv1
SFE Mode: Advanced_Only
Mid Session SSL: no
No server certificates.
[...]

SH # show alarms triggered 
Alarm ID:          certs_expiring
Alarm Description: SSL Certificates Expiring
Status:            error
-------------------------------------
Alarm ID:          health
Alarm Description: Appliance Health
Status:            error
-------------------------------------
Alarm ID:          ssl
Alarm Description: SSL
Status:            error
-------------------------------------

SH # show protocol ssl expiring-certs
Peering certificate is OK.

All server certificates are OK.

All server chain certificates are OK.

Expiring/Expired CA certificate(s):
  Akamai_Subordinate_3 (on May 11 23:59:00 2013 GMT)
  Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068 (on Oct 24 22:00:00 
2013 GMT)
  Digisign_Server_ID_Enrich (on Jul 17 15:16:55 2012 GMT)
  GlobalSign_Organization (on Jan 27 11:00:00 2014 GMT)
  Google_Internet (on Jun  7 19:43:27 2013 GMT)
  Microsoft_Code_Signing_PCA (on Aug 25 07:00:00 2012 GMT)

All peering CA certificates are OK.

All peering white list certificates are OK.

All mobile trusts certificates are OK.

In the log files this will be shown as:

Figure 5.218. SSL alarm is being raised

SH alarmd[5547]: [alarmd.NOTICE]: Alarm 'certs_expiring' triggering 
SH alarmd[5547]: [alarmd.INFO]: Propagating changes for 1 alarms 
SH alarmd[5547]: [alarmd.NOTICE]: Alarm 'ssl' triggering 
SH alarmd[5547]: [alarmd.NOTICE]: Alarm 'health' triggering 
SH mgmtd[3544]: [mgmtd.INFO]: EVENT:  /alarm/event/alarm/certs_expiring/triggered 
SH mgmtd[3544]: [mgmtd.INFO]: Expiring/Expired SSL certificate(s) detected. 
SH mgmtd[3544]: [mgmtd.INFO]: Expiring/Expired SSL certificate(s) have been detected.  For \
     more information, please check these pages:  http://SH/mgmt/gui?p=setupServiceProtoco \
    lsSSLMain  http://SH/mgmt/gui?p=setupServiceProtocolsSSLPeering  http://SH/mgmt/gui?p= \
    setupServiceProtocolsSSLCAs or use the CLI command "show protocol ssl expiring-certs" 

The expired SSL certificates can be removed via the GUI or CLI, depending on their roles: