06/17/2024
Hello
I have two questions about CertificateExpirationAlarmType
CertificateExpirationAlarmType has Certificate,CertificateType,ExpirationDate,ExpirationLimit fields.
1. In CertificateExpirationAlarm,Server puts clients certificate to inputNode and updates to Certificate field after client connected to Server?
2. if client connects to Server,and clients certificate is going to expire in less than 2 weeks,sever should emit CertificateExpirationAlarm,but how client handles CertificateExpirationAlarm? Does client needs to close connection,then get a new certificate,then connects to Server?
Testing this Alarm with CTT,For test-case 2 and 3 and 4,CTT will require Server to use different Certificate for Test,first one for is going to expired,second one is already within expired,last one for already expired.
Thanks
07/05/2017
The purpose of this alarm is to indicate that the Servers own certificate is about to expire or has already expired. It is not about a client that is connecting to the Server. A Server might have more then one Certificate, it might have an Application instance certificate or a User Certificate, both of which have expiration dates. This alarm is raised when the certificate is nearing this date. The ExpirationLimit indicates how near to the ExpirationDate, if ExpirationLimit is not provided then a default of 2 weeks is used.
For example, if the Server’s Application Instance certificate will expire January 28, 2025 and the the ExpirationLimit was set to 2 weeks, then on January 14, 2025, the server will raise the Alarm. It will stay active until the Server Application instance certificate is updated. This Alarm is used to remind the end User that his server will need a new Application Instance certificate soon. If the Application instance certificate is not updated before the expiration time, clients might no longer be able to connect to the Server (the Server has an expired certificate).
The testing for this alarm on the Server can be accomplished by loading a certificate that will expire on to the server, it can also be tested by manipulating the time on the system. Typically this would be tested overnight, certificate loaded is not withing expiration window, but will be next morning, in the morning the alarm should be active. Time can also be manipulated to push the server into the future where the certificate would be near expiring.
Paul
1 Guest(s)