https://live.paloaltonetworks.com/t5/general-topics/certificate-expiry/m-p/581182#M116340 <P>Any suggestions on this please?</P> Thu, 21 Mar 2024 11:59:56 GMT Sanjay_Ramaiah 2024-03-21T11:59:56Z https://live.paloaltonetworks.com/t5/general-topics/certificate-expiry/m-p/581015#M116325 <P>Hi Team,</P> <P>May i know how to set the certificate expiry alerts to emails or any other option to get alerts on certificate expiry?</P> <P>Forward trust certificate used for SSL Decryption i need to get alerts for, so please suggest.</P> <P>Regards,</P> <P>Sanjay S&nbsp;</P> Wed, 20 Mar 2024 10:07:57 GMT https://live.paloaltonetworks.com/t5/general-topics/certificate-expiry/m-p/581015#M116325 Sanjay_Ramaiah 2024-03-20T10:07:57Z https://live.paloaltonetworks.com/t5/general-topics/certificate-expiry/m-p/581182#M116340 <P>Any suggestions on this please?</P> Thu, 21 Mar 2024 11:59:56 GMT https://live.paloaltonetworks.com/t5/general-topics/certificate-expiry/m-p/581182#M116340 Sanjay_Ramaiah 2024-03-21T11:59:56Z https://live.paloaltonetworks.com/t5/general-topics/certificate-expiry/m-p/581247#M116352 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/249853">@Sanjay_Ramaiah</a>,</P> <P>The firewall itself doesn't have the ability to alert you to certificates that are about to expire. It's a relatively easy thing to script using the API to check all certificates on the firewall and pull the expiry-epoch to get the certificate expiration and trigger alerts for any expiring at a specified interval from the current date.</P> <P>&nbsp;</P> <LI-CODE lang="markup">api/?type=config&amp;action=get&amp;xpath=/config/shared/certificate</LI-CODE> <P>The above is an example of getting the shared certificates present on a firewall. If you create a dictionary of the result you can focus the individual certificates and read the results and analyze them fairly simply. </P> <LI-CODE lang="python">## Collects the shared certificate list from the firewall ## Cert_List = requests.get('https://&lt;firewall&gt;/api/?type=config&amp;action=get&amp;xpath=/config/shared/certificate',headers=headers) ## Make a dictionary from the result ## Certificate_Dict = xmltodict.parse(Cert_List.content) ## Analyze the Certificates ## Certificates = Certificate_Dict['response']['result']['certificate']['entry'] for Certificate in Certificates: Certificate_Name = Certificate['@name'] Certificate_Expiration = Certificate['not-valid-after'] Certificate_ExpiryEpoch = Certificate['expiry-epoch'] Expiration_Date = datetime.datetime.fromtimestamp(int(Certificate_ExpiryEpoch)) Current_Date = datetime.datetime.now() Date_Delta = Expiration_Date - Current_Date Day_Count = Date_Delta.days if Day_Count &lt;=30: Alert_Certificate_Expiration(Certificate_Name=str(Certificate_Name),Certificate_Expiration=str(Certificate_Expiration),Date_Delta=str(Day_Count),NoAlert=NoAlert) else: log_collector.debug(Certificate_Name + " : Certificate is valid until " + str(Certificate_Expiration))</LI-CODE> <P>Obviously this is a snip of a much larger script that contains components that won't allow this to just be copied and pasted and ran successfully, but the base of what you're trying to do is all present. </P> Thu, 21 Mar 2024 19:40:22 GMT https://live.paloaltonetworks.com/t5/general-topics/certificate-expiry/m-p/581247#M116352 BPry 2024-03-21T19:40:22Z