The Cisco IOS
                           		Certificate Authority (CA) server allows autoenrollment of certificates before
                           		a certificate expires to ensure the availability of certificates for
                           		applications during authentication. However, network outages, clock update
                           		problems, and overloaded CAs can impede certificate renewal, thereby resulting
                           		in subsystems going offline because no valid certificates can be used for
                           		authentication. The PKI Credentials Expiry Alerts feature provides a mechanism
                           		by which a CA client sends a notification to a syslog server when certificates
                           		are on the verge of expiry. 
                           	 
                        
                        The notifications
                           		are sent at the following intervals: 
                           	 
                        
                        
                           -  
                              		  
                              First
                                 			 notification—This is sent 60 days before the expiry of the certificate. 
                                 		  
                               
-  
                              		  
                              Repeated
                                 			 notifications—After the first notification, subsequent notifications are sent
                                 			 every week until a week before the expiry of the certificate. In the last week,
                                 			 notifications are sent every day until the certificate expiry date. 
                                 		  
                               
The notifications
                           		are in a 
                           		warning mode when the certificate is valid for more than a week.
                           		The notifications are in an 
                           		alert mode when a certificate’s validity is less than a week. The
                           		notifications include the following information: 
                           	 
                        
                        
                           -  
                              		  
                              Truspoint the
                                 			 certificate is associated with
                                 		  
                               
-  
                              		  
                              Certificate type
                                 		  
                               
-  
                              		  
                              Serial number of
                                 			 the certificate
                                 		  
                               
-  
                              		  
                               Certificate
                                 			 issuer name
                                 		  
                               
-  
                              		  
                              Number of days
                                 			 remaining for the certificate to expire
                                 		  
                               
-  
                              		  
                              Whether the
                                 			 certificate is enabled with autoenrollment
                                 		  
                               
-  
                              		  
                              Whether a shadow
                                 			 certificate is available for the corresponding certificate
                                 		  
                               
                           
                              |  Note
 | 
 Alert
                                       		  notifications are sent either via the syslog server or Simple Network
                                       		  Management Protocol (SNMP) traps. Notifications stop when a trustpoint is
                                       		  configured with autoenrollment and the corresponding shadow or rollover
                                       		  certificate is present, and the shadow or rollover certificate’s start time is
                                       		  either the same or earlier than the certificate’s end time.
                                       		
                                     
 | 
                        
                        This feature cannot
                           		be disabled and requires no additional configuration tasks. The 
                           		show crypto pki
                                 			 timers  command is enhanced to display the timer expiry
                           		information. The following is a sample output from the 
                           		show crypto pki timers
                                 			 detail  command that displays the timer when a certificate is
                           		about to expire. When this timer expires, a notification is sent to the syslog
                           		server. 
                           	 
                        
Device# show crypto pki timers detail
PKI Timers
|       14:36.150  (2019-10-30T11:33:30Z) 
  |       14:36.150  (2019-10-30T11:33:30Z) SESSION CLEANUP 
  |2569d23:56:19.461  (2026-11-12T11:15:13Z) SHADOW test
Expiry Alert Timers
|659d 5:56:19.599  (2021-08-19T17:15:13Z) 
  |659d 5:56:19.599  (2021-08-19T17:15:13Z) ID(test)
  |2875d 4:45:18.562  (2027-09-13T16:04:12Z) CA(test)
Trustpool Timers
|3464d 9:06:48.463  (2029-04-24T20:25:42Z) 
  |3464d 9:06:48.463  (2029-04-24T20:25:42Z) TRUSTPOOL
The following is a
                           		syslog message that is displayed on the device:
                           	 
                        
Device#
Dec 16 10:24:13.533: %PKI-4-CERT_EXPIRY_WARNING: ID Certificate belonging to trustpoint tp will expire in 60 Days 0 hours 0 mins 0 secs.
Issuer-name cn=CA
Subject-name hostname=Router
Serial-number 02
Auto-Renewal: Not Enabled