IMAG CERT Command to get the certificate expiration for the components

Document ID : KB000072222
Last Modified Date : 27/02/2018
Show Technical Document Details
Issue:
Need the command to check the certificate expiration for the components mentioned below :

Provisioning Server
Provisioning Manager
Connector server
Connector Express
Provisioning Directory
CA Directory
Jboss
Resolution:
Provisioning Server 
================= 
On each provisioning server, running the below command will show if the expiration date is Oct 6 '2017. 

C:\Program Files (x86)\CA\Identity Manager\Provisioning Server\data\tls>..\..\bin\openssl x509 -enddate -noout -in et2_cacert.pem 

WARNING: can't open config file: /usr/local/ssl/openssl.cnf 

notAfter=Oct 6 08:25:50 2017 GMT -> in this example, this means certificate expired on Oct 6'2017


Provisioning Manager 
=================== 
Similar to the above command, except different "tls" folder: 

C:\Program Files (x86)\CA\Identity Manager\Provisioning Manager\data\tls>..\..\bin\openssl x509 -enddate -noout -in et2_cacert.pem 

Connector server and Connector Express 
==================================== 
Run those two command for client and server certs: 

keytool -list -v -alias eta2_client -keystore "<path to \CA\Identity Manager\Connector Server\jcs\conf>\ssl.keystore" 

enter the JCS connector password when being prompted for the keystore password. 

and 

keytool -list -v -alias eta2_server -keystore "<path to \CA\Identity Manager\Connector Server\jcs\conf>\ssl.keystore" 

enter the JCS connector password when being prompted for the keystore password. 

In the output of those command, look for the line below: 

Valid from: xxxxxxxxxx until: xxxxxx 

Provisioning Directory and CA Directory 
==================================== 
On the machines where the Provisioning Directory is installed, open a command prompt and run the command: 

dxcertgen report 


This command will list all the certificates and their validity dates. Expired certificates will be marked as invalid. Here is an example: 


- <hostname>-impd-notify.pem - 
certificate : 1 
version : 3 
serialNum : 311 
issuer : /C=US/ST=NY/L=Islandia/O=Identity Management/OU=Provisioning Servi 
ces 
notBefore : Nov 28 18:26:00 2007 GMT 
notAfter : Nov 25 18:26:00 2017 GMT 
subject : /C=US/ST=NY/O=Identity Management/OU=Provisioning Services/CN=eta_ 
server 
status : *** INVALID *** 

- <hostname>-imps-router.pem - 
certificate : 1 
version : 3 
serialNum : 311 
issuer : /C=US/ST=NY/L=Islandia/O=Identity Management/OU=Provisioning Servi 
ces 
notBefore : Nov 28 18:26:00 2007 GMT 
notAfter : Nov 25 18:26:00 2017 GMT 
subject : /C=US/ST=NY/O=Identity Management/OU=Provisioning Services/CN=eta_ 
server 
status : *** INVALID *** 


If the certificates have not expired, take note of the notAfter date for future reference. 

Jboss 
======= 
This is depends on two things: 
a) If connection between IM and provisioning server is on SSL or non-SSL. If it is not SSL, then no need to check. 
b) If it is on SSL, then how JBoss keystore is setup by the customer, i.e a dedicated keystore (which CA Support will not know where about it is) or a JDK default keystore. 

By default, JBoss keystore is called cacerts in the JDK path where JBoss is pointing to, for example 

keytool -list -v -alias <name of the provisioning root cert> -keystore "C:\Program Files\Java\jdk1.7.0_79\jre\lib\security\cacerts" 

The default password for cacerts is "changeit" unless it has been changed by customer. 

In the output, check the value in Valid from: xxxxxxxxxx until: xxxxxx 

For the custom keystore, customer can use the same command above but replace the value for -keystore with appropriate path and name. 

=========================