1. Directly on the host after connecting via SSH you can run below
# openssl x509 -text -noout -in /etc/pki/vdsm/certs/vdsmcert.pem | grep -A2 Validity
2. Remotely using openssl you can run below
# openssl s_client -showcerts -connect <HOST FQDN>:54321 | openssl x509 -text -noout | grep -A2 Validity
ovirt-engine performs certificate checks every day (can be configured using engine-config option CertificationValidityCheckTimeInHours) and it checks not only hosts certificates, but also the engine certificate and the engine CA certificate. This check produces following records in ovirt-engine audit log:
1. If the certificate has already expired then below audit log ALERT is created depending on the type of certificate
- Host ${VdsName} certification has expired at ${ExpirationDate}. Please renew the host's certification.
- Engine's certification has expired at ${ExpirationDate}. Please renew the engine's certification.
- Engine's CA certification has expired at ${ExpirationDate}.
2. If the certificate is going to expire in less than 7 days, then below audit log ALERT is created depending on the type of certificate
- Host ${VdsName} certification is about to expire at ${ExpirationDate}. Please renew the host's certification.
- Engine's certification is about to expire at ${ExpirationDate}. Please renew the engine's certification.
- Engine's CA certification is about to expire at ${ExpirationDate}.
3. If the certificate is going to expire in less than 30 days, then below audit log WARNING is created depending on the type of certificate
- Host ${VdsName} certification is about to expire at ${ExpirationDate}. Please renew the host's certification.
- Engine's certification is about to expire at ${ExpirationDate}. Please renew the engine's certification.
- Engine's CA certification is about to expire at ${ExpirationDate}.