Certificate chain events

Certificate chain events are logged to the audit log and all log.

Topics

Event fields

Audit logs of Access Gateway certificate events include the following information:

Field

Description

TIMESTAMP

Current system date and time

HOSTNAME

Hostname of node generating event

SUBSYSTEM

The subsystem or host that generated the error, such as

  • systemd
  • CERT VERFIER
  • CLIENT_CERT
MESSAGE Free-form associated message.

Certificate chain events

Events are logged when adding, deleting, or assigning certificate chains. This includes events associated with managing the revocation settings of certificate chains.

See Client certificate validation behavior and Certificate chain operations.

Certificate chain added

Description: The specified certificate chain was added.

Messages:

  • Added a client certificate chain.

Examples:

  • 2021-03-04T12:08:10.183-06:00 example.myaccessgateway. OAG ADMIN_CONSOLE SERVICES CLIENT_CERT INFO CLIENT_CERT [USER=“oag-mgmt”] Added a client certificate chain
  • 2021-03-04 12:08:10.170 INFO 1101 --- [61-8666-exec-10] c.okta.oag.certverify.CertificateLoader : Importing 'EMAILADDRESS=xxx, CN=YYYY, OU=Engineering, O=Okta, L=San Francisco, ST=CA, C=US’ as certificate authority.
  • Structured data:
    • USER - User performing nomination actions, always oag-mgmt
  • Corrective action :
    • None
  • Certificate chain deleted

    Description: The specified certificate chain was deleted.

    Messages:

    • Deleted client certificate chain ID <identifier>.
    • Removed certificate chain ID 'id'

    Examples:

    • 2021-03-04T12:06:34.145-06:00 example.myaccessgateway.com OAG ADMIN_CONSOLE SERVICES CLIENT_CERT INFO CLIENT_CERT_API [USER=“oag-mgmt”] Deleted client certificate chain ID <identifier>.
    • 021-03-04 12:06:34.099 INFO 1101 --- [.61-8666-exec-6] o.o.c.r.CertificateConfigurationResource : Removed certificate chain ID ‘6da2489d593711957db25c2d3ba5cf3cec069c2959a8b61609a6b70639029a92’.
  • Structured data:
    • USER - User performing nomination actions, always oag-mgmt
  • Corrective action :
    • None
  • Certificate revocation list settings updated

    Description: Certificate revocation settings updated.

    Messages:

    • CRL config updated.
    • settings updated to refresh every xxx minutes and cache for yyy minutes

    Examples:

    • 2021-03-04T12:09:00.226-06:00 example.myaccessgateway.com OAG ADMIN_CONSOLE SERVICES CLIENT_CERT INFO CLIENT_CERT_API [USER=“oag-mgmt”] CRL config updated.
    • 2021-03-04T12:09:00.000-06:00 example.myaccessgateway.com CERT VERIFIER CRL settings updated to refresh every 660 minutes and cache for 720 minutes
  • Structured data:
    • USER - User performing nomination actions, always oag-mgmt
  • Corrective action:
    • None
  • System start or stop

    Event issued when the client certificate validation service is started or stopped.

    Messages:

    • Stopped Certificate Validation Service,
    • Started Certificate Validation Service,
    • Starting (various)

    Cause:

    • The instance is starting or stopping.

    Examples:

    • 2021-01-20T10:54:58.075-06:00 example.myaccessgateway.com systemd Started Certificate Validation Service.
    • 2021-01-22T13:10:55.000-06:00 oag.okta.com CERT VERIFIER Starting [Starting(Started) application | certificate loader | service | servlet | Tomcat]
    • 2021-01-21T11:54:58.075-06:00 example.myaccessgateway.com systemd Stopped Certificate Validation Service.

    Related topics