KB Article #176700

Obtaining the Expiration Dates of Secure Transport Certificates

Problem

Secure Transports stores different public and private certificates and keys. They are used for various purposes - authentication, encryption, decryption, certificate validation, etc. Maintaining these certificates by knowing which certificate expires when, can become a challenging task over time.
The existing 'ckcerts' in the $FILEDRIVEHOME/bin folder provides information limited to the local server certificates and the internal CA.

Resolution


The main task while maintaining the Secure Transport server and account certificates is to identify the expiration time of each certificate. Starting from Secure Transport 5.2.x versions this information can be obtained through the Administrator's RESTful API.

The following commands using 'curl' shows how the RESTful API services can be used for this purpose.


To display the available information for all certificates:

curl -k -X GET -H "Content-Type: application/xml" -H "Accept: application/xml" https://<ADMIN>:<PASSWORD>@<SERVER>:<PORT>/api/v1.1/certificates


To display the available information for the local server certificates:

curl -k -X GET -H "Content-Type: application/xml" -H "Accept: application/xml" https://<ADMIN>:<PASSWORD>@<SERVER>:<PORT>/api/v1.1/certificates?usage=local


To display the available information for trusted CAs:

curl -k -X GET -H "Content-Type: application/xml" -H "Accept: application/xml" https://<ADMIN>:<PASSWORD>@<SERVER>:<PORT>/api/v1.1/certificates?usage=trusted


To display the available information for accounts' login certificates:

curl -k -X GET -H "Content-Type: application/xml" -H "Accept: application/xml" https://<ADMIN>:<PASSWORD>@<SERVER>:<PORT>/api/v1.1/certificates?usage=login

To display the available information for accounts' partner certificates:

curl -k -X GET -H "Content-Type: application/xml" -H "Accept: application/xml" https://<ADMIN>:<PASSWORD>@<SERVER>:<PORT>/api/v1.1/certificates?usage=partner


To display the available information for accounts' private certificates:

curl -k -X GET -H "Content-Type: application/xml" -H "Accept: application/xml" https://<ADMIN>:<PASSWORD>@<SERVER>:<PORT>/api/v1.1/certificates?usage=private


The output displayed is only a raw data. It looks like this.

<certificate>
        <id>8a688b484a3555eb014a4e1c1cee0050</id>
        <name>Account1_Private_x509cert1</name>
        <subject>CN=Account1_Private_x509cert1,OU=GSS,O=Axway,L=Sofia,ST=Bulgaria,C=Bulgaria</subject>
        <type>x509</type>
        <usage>private</usage>
        <expirationTime>1734009672000</expirationTime>
        <fingerprint>0x11A93B065090995F15D362F7D51C474E</fingerprint>
        <account>user</account>
        <metadata>
            <links>
                <account>https://localhost:444/api/v1.1/accounts/user</account>
                <self>https://localhost:444/api/v1.1/certificates/8a688b484a3555eb014a4e1c1cee0050</self>
            </links>
        </metadata>
</certificate>

To be able to extract the useful information from the raw data it has to be processed and formatted in a way that serves the current needs. The attached 'check_cert_info.sh' bash script demonstrates one possible implementation.

Note that it works on Linux OS and requires the following libraries to be installed: bash-4.1.2-15, perl-XML-Twig-3.34-1, coreutils-8.4-31.0.1, curl-7.19.7-37.

This script is not part of the Secure Transport product. It is not QA tested, provided as is, and therefore should be considered as proof of concept only with no warranties or guaranties implied to Axway in regard to its use whatsoever.

The output it provides looks like this.

<<<<< SERVER CERTIFICATE INFORMATION ORDERED BY EXPIRATION DATE >>>>>
Certificate Aliase: ca-old-0xDDA0739B7B38E6306E5301369C34AD1D
Usage:    trusted
Expiration Date: Sun Nov  9 17:13:59 EET 2014
################################################################################
Certificate Aliase: admind
Usage:    local
Expiration Date: Sat Mar 18 02:56:01 EET 2045
################################################################################

<<<<< ACCOUNT CERTIFICATE INFORMATION ORDERED BY EXPIRATION DATE >>>>>
Account:  user1
Usage:    partner
Certificate Aliase: user1_partner_X509cert
Expiration Date: Thu Jan  8 22:22:36 EET 2015
################################################################################
Account:  user
Usage:    login
Certificate Aliase: CN=Account1_Login_cert,OU=GSS,O=Axway,L=Sofia,ST=Bulgaria,C=Bulgaria
Expiration Date: Thu Dec 12 15:17:25 EET 2024
################################################################################Account:  Account: user
Usage:    private
Certificate Aliase: Account1_Private_x509cert1
Expiration Date: Thu Dec 12 15:21:12 EET 2024
################################################################################
Account:  user
Usage:    private
Certificate Aliase: Account1_Private_PGPcert1
Expiration Date: Thu Dec 12 15:21:56 EET 2024
################################################################################
Account:  user
Usage:    partner
Certificate Aliase: PGP_never_expire
Expiration Date: NEVER EXPIRE
################################################################################