certexpire Plugin


The certexpire plugin collects expiration dates of all certificates and their trustchain used for authentication. It currently can export these dates to Comma Separated Value (CSV) files, either periodically or directly after authentication.

The plugin is disabled by default and can be enabled with the ./configure option



The plugin is configured using the following strongswan.conf options:

Key Default Description


Cron style string specifying CSV export times


strftime() format string for the CSV file to export local certificates to


strftime() format string for the CSV file to export remote certificates to



CSV field separator



strftime() format string to export expiration dates as



Use a fixed intermediate CA field count


String to use in empty intermediate CA fields

Cron Scheduling

If no cron string is specified, expiration dates are exported for each trustchain used. This also means that if a trustchain is used twice, it gets exported twice. If cron style scheduling is used, each run exports all trustchains seen since the last export, and duplicates get eliminated.

The cron string takes numeric arguments only, but supports ranges (1-5) and selections (1,3,5), or a combination, space separated:

minute hour day month weekday
   minute, 0-59
   hour, 0-23
   day, 1-31
   month, 1-12
   weekday, 0-7 (0 == 7 == sunday)

See man crontab(5) for details.

Export Files

The local and remote options specify the CSV file to export trustchain expiration dates. The local file receives expiration dates used by us to authenticate against the remote peer, the remote node contains the same information for certificates used by the remote peer to authenticate against us. If an option is not specified, no file of this kind gets generated.

Arbitrary strftime() format specifiers can be used to include the date of generation into the filename. Files get created if they do not exist. If the same filename is used for multiple exports, additional entries get appended to the file.

CSV Format

The separator attribute specifies the CSV field separator. The format attribute defines the date format used for expiration dates using strftime() specifiers.

Each CSV line contains information about the used trustchain, in the form:

  • subject defines the end entity certificate owner, extracted from the certificate. Currently a FQDN subjectAltName is preferred. If none is found, the CN field of the subjectDistinguishedName is used.

  • The expiration dates of the trustchain follow, starting at the subjects certificate, up to the root CA.

If the fixed_fields attribute is set to yes (default), a fixed field count for intermediate CAs is used (currently 5):