The Cisco IOS
Certificate Authority (CA) server allows autoenrollment of certificates before
a certificate expires to ensure the availability of certificates for
applications during authentication. However, network outages, clock update
problems, and overloaded CAs can impede certificate renewal, thereby resulting
in subsystems going offline because no valid certificates can be used for
authentication. The PKI Credentials Expiry Alerts feature provides a mechanism
by which a CA client sends a notification to a syslog server when certificates
are on the verge of expiry.
are sent at the following intervals:
notification—This is sent 60 days before the expiry of the certificate.
notifications—After the first notification, subsequent notifications are sent
every week until a week before the expiry of the certificate. In the last week,
notifications are sent every day until the certificate expiry date.
are in a
warning mode when the certificate is valid for more than a week.
The notifications are in an
alert mode when a certificate’s validity is less than a week. The
notifications include the following information:
certificate is associated with
Serial number of
Number of days
remaining for the certificate to expire
certificate is enabled with autoenrollment
Whether a shadow
certificate is available for the corresponding certificate
notifications are sent either via the syslog server or Simple Network
Management Protocol (SNMP) traps. Notifications stop when a trustpoint is
configured with autoenrollment and the corresponding shadow or rollover
certificate is present, and the shadow or rollover certificate’s start time is
either the same or earlier than the certificate’s end time.
This feature cannot
be disabled and requires no additional configuration tasks. The
show crypto pki
timers command is enhanced to display the timer expiry
information. The following is a sample output from the
show crypto pki timers
detail command that displays the timer when a certificate is
about to expire. When this timer expires, a notification is sent to the syslog
Device# show crypto pki timers detail
| 14:36.150 (2019-10-30T11:33:30Z)
| 14:36.150 (2019-10-30T11:33:30Z) SESSION CLEANUP
|2569d23:56:19.461 (2026-11-12T11:15:13Z) SHADOW test
Expiry Alert Timers
|659d 5:56:19.599 (2021-08-19T17:15:13Z)
|659d 5:56:19.599 (2021-08-19T17:15:13Z) ID(test)
|2875d 4:45:18.562 (2027-09-13T16:04:12Z) CA(test)
|3464d 9:06:48.463 (2029-04-24T20:25:42Z)
|3464d 9:06:48.463 (2029-04-24T20:25:42Z) TRUSTPOOL
The timer is re-calculated at NTP-sync.
show crypto pki timer command displays absolute time in ISO 8601 format.
The following is a
syslog message that is displayed on the device:
Dec 16 10:24:13.533: %PKI-4-CERT_EXPIRY_WARNING: ID Certificate belonging to trustpoint tp will expire in 60 Days 0 hours 0 mins 0 secs.
Auto-Renewal: Not Enabled