Project

General

Profile

certexpire Plugin

Purpose

The certexpire plugin collects expiration dates of all certificates and their trustchain used for authentication. It currently can export these dates to Comma Separated Value (CSV) files, either periodically or directly after authentication.

The plugin is disabled by default and can be enabled by adding

--enable-certexpire
to the ./configure options.

Configuration

The plugin is configured using the following strongswan.conf options:

Key Default Description
charon.plugins.certexpire.csv.cron NULL Cron style string specifying CSV export times
charon.plugins.certexpire.csv.local NULL strftime() format string for the CSV file to export local certificates to
charon.plugins.certexpire.csv.remote NULL strftime() format string for the CSV file to export remote certificates to
charon.plugins.certexpire.csv.separator , CSV field separator
charon.plugins.certexpire.csv.format %d:%m:%Y strftime() format string to export expiration dates as
charon.plugins.certexpire.csv.fixed_fields yes Use a fixed intermediate CA field count
charon.plugins.certexpire.csv.empty_string String to use in empty intermediate CA fields

Cron scheduling

If no cron string is specified, expiration dates are exported for each trustchain used. This also means that if a trustchain is used twice, it gets exported twice. If cron style scheduling is used, each run exports all trustchains seen since the last export, and duplicates get eliminated.

The cron string takes numeric arguments only, but supports ranges (1-5) and selections (1,3,5), or a combination, space separated:

minute hour day month weekday
   minute, 0-59
   hour, 0-23
   day, 1-31
   month, 1-12
   weekday, 0-7 (0 == 7 == sunday)

man crontab(5) for details.

Export files

The local and remote options specify the CSV file to export trustchain expiration dates. The local file receives expiration dates used by us to authenticate against the remote peer, the remote node contains the same information for certificates used by the remote peer to authenticate against us. If an option is not specified, no file of this kind gets generated.

Arbitrary strftime() format specifiers can be used to include the date of generation into the filename. Files get created if they do not exist, if the same filename is used for multiple exports, additional entries get appended to the file.

CSV format

The separator field specifies the CSV field separator. format defines the date format used for expiration dates using strftime() specifiers.

Each CSV line contains information about the used trustchain, in the form:

subject,subjectExpiration,ImCa1Expiration,ImCa2Expiration,RootCaExpiration

subject defines the end entity certificate owner, extracted from the certificate. Currently a FQDN subjectAltName is preferred. If none is found, the CN field of the subject DN is used.

Then the expiration dates of the trustchain follow, starting at the subjects certificate, up to the root CA.

If fixed_fields is set to yes (default), a fixed field count for intermediate CAs is used (currently 5):

subject,subjectExpiration,ImCa1Expiration,ImCa2Expiration,,,,RootCaExpiration