The certExpiryCheck feature checks for expired certificates, trust anchor validity, and if certificates have been revoked if OSCP is enabled. The following Certificate Expiry Check parameters are configurable:

  • The re-check rate parameter, certReCheckRate, is configurable from every 8 hours up to every 30 days in increments of 1 hour. The default value is once per 24-hour period.

  • The expiration periodic warning parameter, expirationPeriodicWarning, is configurable between 3 to 14 days and represents the frequency for sending periodic warning reminders once the expiryWarningThreshold has been met. The default value is 7 days. Select 'disable' to turn off this feature.

  • The expiry warning threshold parameter, expiryWarningThreshold, is configurable between 30 to 90 days and represents the number of days prior to a certificate expiration date on which to generate an expiry warning message. The default value is 60 days. Select 'disable' to turn off this feature.

Upon failure of any one of the checks, the SBC terminates the TLS session and logs a MAJOR level event (sonusSbxFailedCertificateReCheck - MAJOR) to alert the user. The one exception will be if OSCP is enabled but SBC does not receive revocation status of successful.good or successful.revoked, the corresponding TLS session continues for SIP/TLS.

Command Syntax

% set system security certExpiryCheck 
    certReCheckRate <8-720 hours>
    expirationPeriodicWarning <3-14 days>
    expiryWarningThreshold <30-90 days>
 
% show system security certExpiryCheck

Command Parameters

ParameterLength/RangeDescription
certReCheckRate

disable, or 8-720 hours
(in increments of 1 hour)

The interval, in hours, for SBC to re-check certificates. Select 'disable' to turn off this feature. (default = 24)

expirationPeriodicWarningdisable, or 3-14 days
(in increments of 1 day)

The frequency, in days, for sending periodic warning reminders once the expiryWarningThreshold has been met. Select 'disable' to turn off this feature. (default = 7)

expiryWarningThreshold

disable, or 30-90 days
(in increments of 1 day)

The number of days before a certificate expiration date on which to generate an expiry warning message. Select 'disable' to turn off this feature. (default = 60)
  • No labels