forked from joemoore/docs-addon-ipsec
-
Notifications
You must be signed in to change notification settings - Fork 0
/
check-dates.html.md.erb
110 lines (83 loc) · 3.94 KB
/
check-dates.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
---
title: Checking Certificate Dates
owner: Security Engineering
---
<strong><%= modified_date %></strong>
This topic describes how to check the expiration dates of IPsec certificates.
The following procedure describes how to download the runtime configuration file and
extract the two IPsec certificates into temporary files. Then, the files are input to the OpenSSL tool.
The OpenSSL tool decodes the certificates and displays the expiration dates.
## <a id="check-dates"></a> Check Certificate Dates
Follow the steps below to determine the expiration dates of your IPsec certificates.
1. Log in to BOSH Director.
2. Run one of the following commands to download your runtime configuration YAML file:
* **For Ops Manager v1.10 or earlier:**
`bosh runtime-config > PATH-TO-SAVE-THE-RUNTIME-CONFIG`
* **For Ops Manager v1.11 or later:**
`bosh2 -e BOSH-ENVIRONMENT runtime-config > PATH-TO-SAVE-THE-RUNTIME-CONFIG`
For example,
<pre class='terminal'>bosh2 runtime-config > /tmp/my-runtime-config.yml</pre>
3. Display the runtime configuration YAML file so that you can copy from it.
For example,
<pre class='terminal'> $ cat /tmp/my-runtime-config.yml </pre>
4. Identify the section of the file that contains IPsec properties, and locate the certificates:
```
addons:
- include:
stemcell:
- os: ubuntu-trusty
jobs:
- name: ipsec
release: ipsec
name: ipsec
properties:
ipsec:
ca_certificates:
- |
-----BEGIN CERTIFICATE-----
MIIE/TCCAuWgAwIBAgIBATANBgkqhkiG9w0BAQsFADAOMQwwCgYDVQQDEwNjYTEw
HhcNMTYwNTI2MjI1MDMzWhcNMjYwNTI2MjI1MDQyWjAOMQwwCgYDVQQDEwNjYTEw
...
Axu2pbEoT1PrMd3HlAZ3AH8ZrMR3ScJKCW3wQFRX/Plj
-----END CERTIFICATE-----
instance_certificate: |
-----BEGIN CERTIFICATE-----
MIIEGTCCAgGgAwIBAgIQDlqK1V54BEknnblVPXu5lzANBgkqhkiG9w0BAQsFADAO
MQwwCgYDVQQDEwNjYTEwHhcNMTYwNTI2MjI1MTAzWhcNMTgwNTI2MjI1MTAzWjAQ
MQ4wDAYDVQQDEwVjZXJ0MTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
...
4Q6P/cDn9QvW2QbbWkApP2uuMk04jWJV7p79CfX4pipPqiSofjFyFqsjjvir
-----END CERTIFICATE-----
```
5. Copy the ca_certificate into a text file.
Retain the header and footer,
but delete the leading white space before the `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` lines.
For example,
<pre class='terminal'>
-----BEGIN CERTIFICATE-----
MIIE/TCCAuWgAwIBAgIBATANBgkqhkiG9w0BAQsFADAOMQwwCgYDVQQDEwNjYTEw
HhcNMTYwNTI2MjI1MDMzWhcNMjYwNTI2MjI1MDQyWjAOMQwwCgYDVQQDEwNjYTEw
...
Axu2pbEoT1PrMd3HlAZ3AH8ZrMR3ScJKCW3wQFRX/Plj
-----END CERTIFICATE-----
</pre>
6. Save the file with the PEM extension, for example, `my-ipsec-ca-cert.pem`.
7. Run the following command:
<code>openssl x509 -text -inform pem -in /PATH/FILENAME.pem | grep "Not After"</code>
Where `/PATH/FILENAME.pem` is the path to and filename of the file you saved in the step above.
For example,
<pre class='terminal'>
$ openssl x509 -text -inform pem -in /tmp/my-ipsec-ca-cert.pem | grep "Not After"
Not After : May 26 22:50:42 2026 GMT
</pre>
If the PEM file is correctly formatted,
the output shows a line with the `Not After` date.
If the PEM file is not correctly formatted,
The output shows `unable to load certificate`.
8. Repeat steps 5–7 for the instance_certificate.
9. Review the `Not After` date and plan to replace the certificates accordingly.
Keep in mind the lead time to obtain new certificates and the time to perform a deployment to apply them.
For information, see [Rotating Active IPsec Certificates](credentials.html).
10. For security hygiene, delete three temporary files that you created:
the downloaded copy of the `runtime-config.yml` which contains the private key
and the two PEM files that contain the certificates.