Is there a way to also print in the notice.log the actual date the cert expires?
If you're talking about the notice from the policy/protocols/ssl/expiring-certs.bro then the date should already be in there. For the three notices that script defines, you should get these messages...
- fmt("Certificate %s isn't valid until %T", cert$subject, cert$not_valid_before)
- fmt("Certificate %s expired at %T", cert$subject, cert$not_valid_after),
- fmt("Certificate %s is going to expire at %T", cert$subject, cert$not_valid_after),
.Seth
Does that only apply to the variable number of days before expiry? So for instance if it set to 30 days all of those will fire within the 30 day window. Whereas everything else outside of the window will not fire. So if we want every cert we detect to fire should we set it to 0 or to like to 3650 days? I may have answered my own question but still wanna get your reponse.
Oh, if you’re just looking for when all certificates expire it sounds like you want the “not_valid_before” and “not_valid_after” timestamps in the x509 log. Is that what you wanted?
.Seth