Enforcing certificate expiration and setting certificate validity

You must enforce the expiry of certificates and set their validity so that the server fails to communicate with the agents with expired certificates and the agents auto-rotate their certificates at a regular interval of time.

You must have completed the following tasks:
  • Enabled the automatic rotation of agent certificates. See Automatic rotation of agents certificate.
  • You must rotate the server and relays client certificates manually before you enable the certificate expiration.

    When you set the enforcement of certificate expiration, the enforcement is set for all client certificates, including the servers' client certificate and the relays' client certificates. However, server and relays cannot rotate their certificates. Therefore, before enabling enforcement you must plan to perform regular rotation of server and relay client certificates manually before they expire.

  1. Force the server to reject an expired certificate by adding the following property to the server's installed.properties file: 
    agentcomm.clientCertificate.enforceExpiration=true
    The agentcomm.clientCertificate.enforceExpiration property causes the server to enforce the expiration date specified in the agent certificates regardless of their duration. For example, if the agent certificate is valid for 7300 days (20 years), the server accepts it for 7300 days (20 years).
    Notes:
    • If the enforceExpiration property is set to false or not set, then the agent's certificate expiration is ignored.
    • If the verify.client.identity parameter is true in the server’s installed.properties file, then your certificate authority (CA) TLS rules will be applied. For example, the certificate is signed by the CA, the expiration date is enforced, and so on. These rules are enforced by Java before the enforceExpiration setting gets a chance to run. So, the enforceExpiration setting is redundant with the TLS system. Therefore, you should use verify.client.identity=true or agentcomm.clientCertificate.enforceExpiration=true setting, but not both.
  2. Force the server to limit an acceptable certificate date range for valid certificates by setting the following parameter in the server's installed.properties file: 
    agentcomm.clientCertificate.maxAgeDays=730

    The agentcomm.clientCertificate.maxAgeDays property defines the validity of the certificate in days. The minimum allowed value is 90 days.

    Note: Offline agents cannot rotate a certificate. If you have agents that are offline for extended periods of time, do not set agentcomm.keypair.maxAgeDays or agentcomm.clientCertificate.maxAgeDays to a combination that results in expired or invalid certificates. When these agents are started, they cannot rotate to a valid certificate and connect with the server.
    The following scenarios are explained that describe the server behavior on how you set the agent's and server's maxAgeDays property:

    Scenario 1: When you set the agent's maxAgeDays property to 7300 days (20 years) and set the server's maxAgeDays property to 730 days (2 years).

    In this scenario, the agent will automatically attempt to rotate the certificate every 20 years. If the agent is offline for 731 days or more, the server will reject the agent's certificate and will fail to communicate with the agent. You must start the agent and manually rotate the agent's certificate.

    Scenario 2: When you set the agent's maxAgeDays property to 90 days (3 months) and set the server's maxAgeDays property to 730 days (2 years).

    In this scenario, the lower bound is set by the agent. The server accepts the agent's certificate validity of 90 days and the agent will attempt to rotate the certificate every 60 days, which is 30 days before its expiry. If the agent is offline for 91 days, the agent will not be able to rotate its certificate even if the server’s maxAgeDays property is set to 730 days. You must start the agent and manually rotate the agent's certificate.

    Scenario 3: When you set the agent's maxAgeDays property to 90 days (3 months), have not enabled the enforcement, and the agent is offline for 91 days.

    In this scenario, the server will be able to communicate with the agent when the agent is started later. The agent will rotate its certificate when it comes back online. No manual intervention is required in this scenario.

  3. Restart the server to apply the changes.
    The expired agent certificates are now rejected and any existing certificate expire in the time period defined. As in the example used, the certificates will expire in 730 days even if they are not expired according to their stated expiration date.
You have enforced certificate expiration and set the validity of the certificate.