Certificate Health Checks
FMOS has several health checks that will show the status of all certificates used by the various Security Manager components. To see their status, run the following command: fmos health -d
If any certificates are within the 30-day renewal window, a warning message will be displayed for each one.
To see certificate expiration dates using a diagnostic package, you will need to fetch or extract the following files:
From the primary database machine:
-
/etc/pki/tls/certs/fqdn.cer
-
/etc/pki/tls/certs/fmos-admin.cer
-
/var/lib/pgsql/server.crt
From any standby database machines:
-
/etc/pki/tls/certs/fqdn.cer
-
/etc/pki/tls/certs/fmos-admin.cer
-
/var/lib/pgsql/.postgresql/postgresql.crt
From any application server machines:
-
/etc/pki/tls/certs/fqdn.cer
-
/etc/pki/tls/certs/fmos-admin.cer
-
/etc/pki/tls/certs/localhost.crt
You can use the OpenSSL command-line tool to inspect these certificates and view their validity period:
openssl x509 -noout -text -certopt no_sigdump,no_pubkey -in FILENAME