Skip to main content
Skip table of contents

OCSP Responder Signer Expiry Check

This article is new for Nexus OCSP Responder 6.3.0.

This article describes how to configure Nexus OCSP Responder Expiry Check.

Introduction

Expiry Check is a service that sends reminder logs when a responder's signer certificate is about to expire. By default every signer will register to this service with a default configuration.

When a signer’s certificate is about to expire, a log event of type "ExpiryCheck" will be triggered. If a configured warning threshold period is crossed before the expiry of the signer’s certificate happens, there will be a warning level message logged. When a severe warning threshold period is crossed, or if the certificate has expired, there will instead be a severe level message logged.

Expiry Check configuration

Configuration can be done on both a per signer level or on a per responder level. The more specific configuration will always be chosen first. If a configuration is missing, the default will apply.

Expiry check has four configuration parameters:

Parameter

Default value

Description

expiryCheck.disable=true|false

false

Specifies whether or not to disable Expiry Check Service.

expiryCheck.period=<time expr>

P24H

Specifies how frequently the Expiry Check Service will execute. By default, the check will be performed every 24 hours.

expiryCheck.warningBefore=<time expr>

P30D

Specifies the time period before the signer’s expiry date when a warning log should be sent. By default, 30 days before the signer’s expiry date.

expiryCheck.severeBefore=<time expr>

P7D

Specifies the time period before the signer’s expiry date when a severe log should be sent. By default, 7 days before the signer’s expiry date.

<time expr> should follow iso-8601 duration format

Example configuration for a signer:
responder.1.signer.1.expiryCheck.disable=false
responder.1.signer.1.expiryCheck.period=P24H
responder.1.signer.1.expiryCheck.warningBefore=P30D
responder.1.signer.1.expiryCheck.severeBefore=P5D

Example configuration for a responder, (Every signer for this responder will inherit this configuration):
;responder.1.expiryCheck.disable=false
;responder.1.expiryCheck.period=P24H
;responder.1.expiryCheck.warningBefore=P30D
;responder.1.expiryCheck.severeBefore=P5D

Logging configuration example

It it possible to filter ExpiryCheck messages by simply specifying “type=ExpiryCheck” in the logger filter configuration.

Example: Omit Expiry Check messages

agent.log.1.type = file
agent.log.1.prefix = log/ocsp
agent.log.5.filter = !type=ExpiryCheck

Example: Write ExpiryCheck messages only
agent.log.4.type = file
agent.log.4.prefix = log/ocsp-expiry-check
agent.log.4.filter = type=ExpiryCheck

Example: Write severe ExpiryCheck messages to syslog
agent.log.5.type = syslog
agent.log.5.port = 10514
agent.log.5.host = localhost
agent.log.5.facility = user
agent.log.5.filter = type=ExpiryCheck & severity=severe

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.