The certExpiryCheck
feature checks for expired certificates, trust anchor validity, and if certificates have been revoked if OSCP is enabled. The following Certificate Expiry Check parameters are configurable:
- The re-check rate parameter,
certReCheckRate
, is configurable from every 8 hours up to every 30 days in increments of 1 hour. The default value is once per 24 hour period. The expiration periodic warning parameter,
expirationPeriodicWarning
, is configurable between 3 to 14 days, and represents the frequency for sending periodic warning reminders once theexpiryWarningThreshold
has been met. The default value is 7 days. Select 'disable' to turn off this feature.- The expiry warning threshold parameter,
expiryWarningThreshold
, is configurable between 30 to 90 days, and represents the number of days prior to a certificate expiration date on which to generate an expiry warning message. The default value is 60 days. Select 'disable' to turn off this feature.
Upon failure of any one of the checks, the SBC terminates the TLS session and logs a MAJOR level event (sonusSbxFailedCertificateReCheck - MAJOR) to alert the user. The one exception will be if OSCP is enabled but SBC does not receive revocation status of successful.good or successful.revoked, the corresponding TLS session continues for SIP/TLS.
Command Syntax
% set system security certExpiryCheck certReCheckRate <8-720 hours> expirationPeriodicWarning <3-14 days> expiryWarningThreshold <30-90 days> % show system security certExpiryCheck
Command Parameters