How to set up TLS/SSL Certificate Expiry alert on Apigee Edge

Hi,

Can someone help me with setting up TLS certificate expiry notification on Apigee Edge. It should trigger emails when the certificates are about expire. I understand that there is a BETA version to create the Alerts, but do we have any other options to have these expiry alerts?

Thanks and Regards

Shiv

1 5 1,268
5 REPLIES 5

Hi, I never saw this option. What I know that you check a option when you are creating a new certificate to define "Allow expired certificate".

There is an option in alerts to create an alert for TLS expiry. We can set it. But I am not sure how reliable it is and I couldn't see the option to set it for portal certificates.

jaupadhyay
Participant IV

Hi @Shivakumar Sudi

Other way to check is make a call to management API to inspect certificate expiry time.

You can make following call to Management API to get necessary information.

https://apidocs.apigee.com/management/apis/get/organizations/%7Borg_name%7D/environments/%7Benv_name...

Above call gives the response which looks like below.

{
  "certInfo": [
    {
      "validFrom": 1573656514000,
      "expiryDate": 1889016514000,
	.....	
    }
  ],
  "certName": "Your Cert Name"
}

Above response contains expiry date in Unix epoch time format.

you can write little app which makes above call and inspect the expiry date. Triggers an email based on your requirement.

See if above approach works for you based on your requirement and constraint within your org.

Thanks Jayesh,

Can we use Apigee itself to make these calls? Do you think it's a good approach? Also, would it give the portal certificate details as well? Because, under alerts, I couldn't see portal option to set the expiry alert. So wondering if it will cover that as well.

Regards

Shiv

Hi @Shivakumar Sudi

Yes you can use Apigee to make this call using Service call out to Management API to fetch necessary information. Based on your requirement and what's available to achieve that I would say this is acceptable approach. This will only validate certificate available on Edge environment TLS Keystores. If Portal cert is not in your TLS keystore you can't trigger that automatically. One approach to check Dev portal certificate can be, store your Dev portal cert as an encrypted KVM. you can fetch that cert and fetch certificate attributes using Javascript or java call out which will use openssl capabilities to achieve that. See if that's good enough as your solution.

Regards

Jayesh