Technical Tip: Local certificate expiration alert

When a local certificate is about to expire, the FortiADC system generates certificate expiry events.

Security Fabric’s Automation stitch can use these events to send alerts to external services such as syslog server, email services, SNMP trap, and Webhook. Provided that the below requirements are met:

1. The local log is enabled with system event category:

2. Automation action:

• Email type action requires working SMTP service under System -> Settings -> Services.

Refer to the FortiADC Handbook for more information regarding Automation Actions configuration:
Configuring Automation Actions 

3. FortiADC has reachability to external service.

Automation stitch configuration:

1. Create a new Automation stitch.

2. Define Automation stitch settings:
   a. Name.
   b. Trigger – select System Events.
   c. Event – select Certificate Expire.
   d. Action – select SNMP Trap(in this demonstration).
   e. SNMP Trap name.
   f. Select SNMP Action(pre-created SNMP Trap action).
   g. Delay.

3. Select Save once complete.

Steps to Verify:

Once certificate expiry events are generated, Automation stitch will be triggered and then execute the configured action.

Verify the last trigger time column in the Automation page:

Note:

The event log generates the event 1 week before the local certificate expiration date. The event log generates expired local certificate events daily.

Related documents:
Creating Automation Stitches 
Download SNMP MIBs 
Configuring an SMTP mail server