Certificate Revocation/Expiry Status Verification
This chapter provides a brief overview of how to check the status of the certificates generated for sessions in
Unified Communications Manager Administration. The certificate service periodically checks for long lived
sessions between Unified Communications Manager and other services. Long lived sessions have duration
of six hours or more. The check is performed for the following long lived sessions:
• CTI Connections with JTAPI /TAPI applications.
• LDAP Connection between Unified Communications Manager and SunOne servers.
• IPSec Connections
It also describes how to configure the enterprise parameter for verifying certificate revocation and expiry.
The enterprise parameter Certificate Revocation and Expiry allows you to control the certificate validation
checks. The revocation and expiry check parameter is enabled on the Enterprise Parameter page of Unified
Communications Manager. The certificate expiry for the long lived sessions is not verified, when the enterprise
parameter value is disabled.
The certificate revocation service is active for LDAP and IPSec connections, when the Enable Revocation
is selected on the Operating System Administration of Unified Communications Manager and revocation and
expiry check parameter is set to enabled. The periodicity of the check for IPSec connections are based on the
Check Every value. The revocation check for the certificate is not performed, if the Enable Revocation
check box is unchecked.
The GeneralizedTime values for X.509 Public Key Infrastructure Certificate and Certificate Revocation List
(CRL) profile must be expressed in Greenwich Mean Time (GMT) and must include seconds (i.e., times are
YYYYMMDDHHMMSSZ), even when the number is zero. GeneralizedTime values must not include the
fractional seconds. If the peer entity offers a certificate which violates this rule or a certificate is loaded in the
trust stores from the peer entities, then it could possibly fail the certificate verification process.
Note
Certificate Monitoring Task Flow
Complete these tasks to configure the system to monitor certificate status and expiration automatically.
• Email you when certificates are approaching expiration.
• Revoke expired certificates.
Procedure
PurposeCommand or Action
Configure automatic certificate monitoring. The
system periodically checks certificate statuses
Configure Certificate Monitor Notifications, on
page 3
Step 1
and emails you when a certificate is approaching
expiration.
Certificate Revocation/Expiry Status Verification
2
Certificate Revocation/Expiry Status Verification
Certificate Revocation/Expiry Status Verification