Cisco CSR1000v PKI Certificate Expire Tracker

Security
1

Hi,

I am looking for pointers to get the serial number and expires time of the certificate (certificate used for setting up IPSec (using PKI)) installed on a CSR1000v (@AWS).

  • Task involves getting the information from the CSR1000v as key value pair and pushing it to AWS cloudwatch.

Example:
Serial: 08A8A252944ABC0A2DD498A6CABCDZYX
DaysToExpire: 278 (Difference between current time minus end date for validity)
{08A8A252944ABC0A2DD498A6CABCDZYX:278}

OPTION1:

  1. I can get this information from the PEM/CER file using openssl commands , but I am running into an issue with access to the certificate since they are stored in bootflash folder in cer format, I will have to change cer to pem and than read the contents of the certificate but I am running into permissions issue on bootflash folder. Is there a way to access the cer files and make a copy to tmp folder and run the openssl commands to get the output ?

OPTIONS 2:

  1. Execute “Sh cry pki certificates” and parse the output to get the information. Is there a sample regex that can help me parse the output of the certificate ?

Thanks in advance for all your help.

Any other suggestions are also welcome!
GY

2

Hello Gaurav

This is an issue that requires some testing and vrification, however I can maybe steer you in a direction that might help you out.

Option 2 is not a bad idea, however, it might be a good idea not to use regex. Using regex with regular show commands are great for humans to read, but it would be preferrable to use something that’s easier to parse. Try NETCONF, RESTCONF, or GRPC. More info about these can be found at the following lesson:

The output you get will be in XML which is easy to parse. You could use a python script to connect to the router, get the certificate, and then push the information to AWS.

I know this is high level, but hopefully it gives you some more info to go on.

I hope this has been helpful!

Laz