https://live.paloaltonetworks.com/t5/general-topics/can-this-oid-notificate-the-expired-certificates-for-ssl/m-p/1232173#M124616 <P>Hi,</P> <P>&nbsp;</P> <P>I found the below OID in SNMP Trap.<BR />Can this OID notificate the expired certificates for SSL decryption and Global Protect?</P> <P>&nbsp;</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HBfzCAG" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HBfzCAG</A></P> <P>====<BR />panCryptoCertExpiryTrap&nbsp; .1.3.6.1.4.1.25461.2.1.3.2.0.100&nbsp; Certificate expired<BR />====</P> <P>&nbsp;</P> <P>Best regards,<BR />MasaW</P> Fri, 20 Jun 2025 04:26:20 GMT MasaW 2025-06-20T04:26:20Z https://live.paloaltonetworks.com/t5/general-topics/can-this-oid-notificate-the-expired-certificates-for-ssl/m-p/1232173#M124616 <P>Hi,</P> <P>&nbsp;</P> <P>I found the below OID in SNMP Trap.<BR />Can this OID notificate the expired certificates for SSL decryption and Global Protect?</P> <P>&nbsp;</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HBfzCAG" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HBfzCAG</A></P> <P>====<BR />panCryptoCertExpiryTrap&nbsp; .1.3.6.1.4.1.25461.2.1.3.2.0.100&nbsp; Certificate expired<BR />====</P> <P>&nbsp;</P> <P>Best regards,<BR />MasaW</P> Fri, 20 Jun 2025 04:26:20 GMT https://live.paloaltonetworks.com/t5/general-topics/can-this-oid-notificate-the-expired-certificates-for-ssl/m-p/1232173#M124616 MasaW 2025-06-20T04:26:20Z https://live.paloaltonetworks.com/t5/general-topics/can-this-oid-notificate-the-expired-certificates-for-ssl/m-p/1232223#M124621 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/55776">@MasaW</a>,</P> <P>This will not generate alerts for anything other than the device management certificate. You can automate these checks easily through some API calls and have whatever alert interval you wish, I've found this to work better than anything you can do natively.</P> <P>&nbsp;</P> <P>A brief example of how you would do this, note that I specifically don't give working examples of scripts as someone implementing them needs to be able to maintain them.</P> <LI-CODE lang="python">#Collect the current certificates# Get_Cert_List = requests.get('https://' + str(myFirewallUrl) + '/api/?type=config&amp;action=get&amp;xpath=/config/shared/certificate',headers=headers) #Take the return and parse it# Certificate_Dict = xmltodict.parse(Get_Cert_List.content) Certificates = Certificate_Dict['response']['result']['certificate']['entry'] for Certificate in Certificates: Certificate_Name = Certificate['@name'] Certificate_Expiration = Certificate['not-valid-after'] Certificate_ExpiryEpoch = Certificate['expiry-epoch'] Expiration_Date = datetime.datetime.fromtimestamp(int(Certificate_ExpiryEpoch)) Current_Date = datetime.datetime.now() Date_Delta = Expiration_Date - Current_Date Day_Count = Date_Delta.days if Day_Count &lt;=30: Alert_Certificate_Expiration(Certificate_Name=str(Certificate_Name),Certificate_Expiration=str(Certificate_Expiration),Date_Delta=str(Day_Count),NoAlert=NoAlert)</LI-CODE> <P>This should give you enough of an example if you choose to do this through the API that is more adaptable to what you specifically want.&nbsp;</P> Fri, 20 Jun 2025 14:12:57 GMT https://live.paloaltonetworks.com/t5/general-topics/can-this-oid-notificate-the-expired-certificates-for-ssl/m-p/1232223#M124621 BPry 2025-06-20T14:12:57Z