Certificate monitor
You can configure a certificate monitor on the appliance.
You can use the certificate monitor to regularly check your certificates and output log messages that warn you if any have expired or are about to expire.
- Certificates in queue manager key repositories
- Web UI certificates
- REST API certificates
- Certificates used by role-based management for communicating with LDAP servers
- How often the certificates are checked
- How many days in advance of expiration that warnings are issued
- What log level is assigned to expiration warnings
- Whether expired certificates should be disabled (not applicable to queue manager certificates)
cert-monitor category. Two types of log event
are generated, one for certificates that are about to expire and one for certificates that have
already expired, for example:- [0x806000e1] Certificate ‘mycert’ in domain ‘default’ expired at ‘2020-03-31T15:40:08Z’
- [0x806000e2] Certificate ‘mycert’ in domain ‘default’ is about to expire at ‘2020-03-31T15:40:08Z’
The certificate name is the name of the certificate object.
Log events for queue manager certificates have a slightly different format:
- [0x8060034b] Certificate ‘mycert’ for queue manager ‘QM1’ expired at ‘2020-03-31T15:40:08Z’
- [0x8060034c] Certificate ‘mycert’ for queue manager ‘QM1’ is about to expire at ‘2020-03-31T15:40:08Z’
The certificate name in these two log messages is the certificate label in the queue manager key repository (as reported by the listcert command - see listcert (list certificate)).
The certificate monitor does not scan certificates for HA secondary or DR secondary queue managers. Certificates for these queue managers are scanned by the certificate monitor on the appliance where they have the primary role.