Certificate Health Checks

FMOS has several health checks that will show the status of all certificates used by the various Security Manager components. To see their status, run the following command: fmos health -d

If any certificates are within the 30-day renewal window, a warning message will be displayed for each one.

To see certificate expiration dates using a diagnostic package, you will need to fetch or extract the following files:

From the primary database machine:

  • /etc/pki/tls/certs/fqdn.cer

  • /etc/pki/tls/certs/fmos-admin.cer

  • /var/lib/pgsql/server.crt

From any standby database machines:

  • /etc/pki/tls/certs/fqdn.cer

  • /etc/pki/tls/certs/fmos-admin.cer

  • /var/lib/pgsql/.postgresql/postgresql.crt

From any application server machines:

  • /etc/pki/tls/certs/fqdn.cer

  • /etc/pki/tls/certs/fmos-admin.cer

  • /etc/pki/tls/certs/localhost.crt

You can use the OpenSSL command-line tool to inspect these certificates and view their validity period:

openssl x509 -noout -text -certopt no_sigdump,no_pubkey -in FILENAME