SECURING


Certificate health check

The CertMgr task checks the health of imported keys and certificates at the time of import and every 30 minutes thereafter.

A column in the KeyFiles view of certstore.nsf shows green, yellow, or red icons to indicate the status of each certificate. If yellow or red is shown, open the document and read the Status field to find details about the problem. The reported status is similar to information generated by the kyrtool verify command, for example, a missing key or mismatch between key and certificate.

CertMgr also checks the Certificate Expiration Date and Certificate Renew Date of each certificate. A certificate that exceeds its renew date by at least one day without being renewed is flagged yellow. A certificate that is due to expire in one day or has expired is flagged red.

Use the tell certmgr check command to run CertMgr to check key and certificate health on demand.

The following CertMgr statistics are available to report certificate health:

Table 1. CertMgr certificate health statistics
StatisticDescription
CertMgr.CertStatus.GreenNumber of certificates that are in a healthy state.
CertMgr.CertStatus.RedNumber of certificates with errors.
CertMgr.CertStatus.YellowNumber of certificates with warnings.
CertMgr.CertStatusThe overall health of certificates. Shows the most severe certificate state found. For example, if all certificates are healthy, reports "Green." If at least one certificate has an error, reports "Red."

For example:

> show stat certmgr.* CertMgr.CertStatus.Green = 3 CertMgr.CertStatus.Red = 1 CertMgr.CertStatus.Yellow = 2 CertMgr.CertStatus = Red 4 statistics found

Note: Certificate health status pertains to keys and certificates and not operations. For example, a certificate renew operation can fail despite a valid certificate.

Parent topic: Managing TLS certificates with Certificate Manager