Certificate expiration trigger
The local certificate expiry trigger (local-certificate-near-expiry
) can be used in an automation stitch if a user-supplied local certificate used for SSL VPN, deep inspection, or other purpose is about to expire. This trigger relies on a VPN certificate setting in the CLI configuration setting for the certificate log expiring warning threshold:
config vpn certificate setting set cert-expire-warning <integer> end
cert-expire-warning <integer> |
Set the certificate log expiring warning threshold, in days (0 - 100, default = 14). |
Example
In this example, the local certificate expiry trigger is used with an email notification action to remind an administrator to re-sign or load a new local certificate to avoid any service interruptions. The local certificate, fw-cert-30-days, will expire in 30 days. The certificate log expiring warning threshold is set to 31 days.
To configure the certificate log expiring warning threshold:
config vpn certificate setting set cert-expire-warning 31 end
To configure an automation stitch with the local certificate expiry trigger in the GUI:
-
Configure the trigger:
-
Go to Security Fabric > Automation, select the Trigger tab, and click Create New.
-
In the System section, click Local Certificate Expiry, and enter the following:
Name
Local Cert Expired Notification
Description
Default automation trigger configuration for when a local certificate is near expiration.
-
Click OK.
-
-
Configure the action:
-
Go to Security Fabric > Automation, select the Action tab, and click Create New.
-
In the Notifications section, click Email, and enter the following:
Name
email_no_rep_message
To
Enter an email address.
Subject
CSF stitch alert
-
Click OK.
-
-
Configure the stitch:
-
Go to Security Fabric > Automation, select the Stitch tab, and click Create New.
-
Enter the name, cert-expiry.
-
Click Add Trigger. Select Local Cert Expired Notification and click Apply.
-
Click Add Action. Select email_no_rep_message and click Apply.
-
Click OK.
-
To configure an automation stitch with the local certificate expiry trigger in the CLI:
- Configure the trigger:
config system automation-trigger edit "Local Cert Expired Notification" set description "Default automation trigger configuration for when a local certificate is near expiration." set event-type local-cert-near-expiry next end
- Configure the action:
config system automation-action edit "email_no_rep_message" set action-type email set email-to "*******@fortinet.com" set email-subject "CSF stitch alert" next end
- Configure the stitch:
config system automation-stitch edit "cert-expiry" set trigger "Local Cert Expired Notification" config actions edit 1 set action "email_no_rep_message" set required enable next end next end
Verification
Once the event log is generated for the local certificate expiry, the automation stitch is triggered end the email notification is sent.
To confirm that the stitch was triggered in the GUI:
- Go to Security Fabric > Automation and select the Stitch tab.
- Verify the Last Triggered column.
To confirm that the stitch was triggered in the CLI:
# diagnose test application autod 3 alert mail log count: 0 stitch: cert-expiry local hit: 1 relayed to: 0 relayed from: 0 last trigger:Thu Jun 23 09:32:21 2022 last relay: actions: email_no_rep_message: done: 1 relayed to: 0 relayed from: 0 last trigger:Thu Jun 23 09:32:21 2022 last relay: logid to stitch mapping: id:22207 local hit: 1 relayed hits: 0 cert-expiry