Determine certificate expiry date

[wiener-dog]

Hello axis/vapix people. Maybe its obvious, but not to me. The certificate management API has all the hooks to install / enable 802.1x certs etc. But, short of downloading cert from camera and parsing it through openssl, I don't see a way of getting the expiry date. Getting device or network properties doesn't show it. What am I missing? TIA

[github-actions[bot]]

This automatically generated reply acts as a friendly reminder.

Answers to your questions will most often come from the community, from developers like yourself. You will, from time to time, find that Axis employees answers some of the questions, but this is not a guarantee. Think of the discussion forum as a complement to other support channels, not a replacement to any of them.

If your question remains unanswered for a period of time, please revisit it to see whether it can be improved by following the guidelines listed in Axis support guidelines.

[vivekatoffice]

Hi @wiener-dog ,
If you are just looking for a tool to check the expiry of the certificates then AXIS Device Manager is for you.

Reference

Using the VAPIX APIs: Certificate management API:GetClientCertificates

import requests
from requests.auth import HTTPDigestAuth
import xml.etree.ElementTree as ET
from cryptography import x509
from cryptography.hazmat.backends import default_backend
import base64

# Camera details
camera_ip = '10.176.12.130'
username = 'Vivek'
password = 'Kumar'

# SOAP request body
soap_body = """
<SOAP-ENV:Envelope xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:tds="http://www.onvif.org/ver10/device/wsdl"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:onvif="http://www.onvif.org/ver10/schema"
xmlns:tt="http://www.onvif.org/ver10/schema"
xmlns:SOAP-ENV="http://www.w3.org/2003/05/soap-envelope">
  <SOAP-ENV:Body>
    <tds:GetCertificates xmlns="http://www.onvif.org/ver10/device/wsdl">
    </tds:GetCertificates>
  </SOAP-ENV:Body>
</SOAP-ENV:Envelope>
"""

# Headers for the SOAP request
headers = {
    'Content-Type': 'application/soap+xml; charset=utf-8',
}

# URL of the VAPIX service
url = f'http://{camera_ip}/vapix/services'

# Send the request with Digest Authentication
response = requests.post(url, data=soap_body, headers=headers, auth=HTTPDigestAuth(username, password))
print(response)
# Make sure to extract the text content from the response object
soap_response = response.content.decode('utf-8')

# Parse the XML response
root = ET.fromstring(soap_response)

# Register namespaces to find elements
namespaces = {
    'SOAP-ENV': 'http://www.w3.org/2003/05/soap-envelope',
    'tds': 'http://www.onvif.org/ver10/device/wsdl',
    'tt': 'http://www.onvif.org/ver10/schema'
}

# Find all the certificate details
certificates = root.findall(".//tds:NvtCertificate", namespaces)

# Loop through the certificates, extract the ID and data, decode, and print the details
for cert in certificates:
    cert_id = cert.find('tt:CertificateID', namespaces).text
    cert_data = cert.find('tt:Certificate/tt:Data', namespaces).text
    
    # Decode the certificate data from base64
    cert_bytes = base64.b64decode(cert_data)
    
    # Load the certificate using cryptography
    cert_obj = x509.load_der_x509_certificate(cert_bytes, default_backend())
    
    # Get the certificate's validity period
    not_before = cert_obj.not_valid_before
    not_after = cert_obj.not_valid_after
    
    # Print the results
    print(f"Certificate Name: {cert_id}")
    print(f"  Valid From: {not_before}")
    print(f"  Valid Until: {not_after}")
    print(f"  Subject: {cert_obj.subject}")
    print(f"  Issuer: {cert_obj.issuer}")
    print("-" * 40)

Device webpage:

Output:

[wiener-dog]

Tks for responding. I know the device manager does this. But that's a slow manual process. We have a ton of cameras, and many more every month. I like your python code... but I have a minimal python install, with no pip access. So is sucks... I think ultimately I'll end up using openssl s_client. But was hoping there was something right in the API that did spat out some certificate information.

Updated the 802.1x certs on a whole bunch of Q3538's and 37's recently, via API. My code always worked. This time, ran my code on new (older cameras). When I did that, the CA certs gets unconfigured...? wth? On the newer cameras, with newer software that never happened. So now have a bunch of cameras I had to manually reset the CA to get auth working. Ever see that behavior?

Love tech... :)

[wiener-dog]

ah, don't have my thinking cap on. I want to be able to check the 802.1x certs, and the s_client won't work on 802.1x certs as they are only available at the switch auth level. And I don't think the GetClientCertificates call works for 802.1x certs.

[vivekatoffice]

Hi @wiener-dog ,
I agree with you the GetClientCertificates call does not return the 802.1x certs.

I like your python code... but I have a minimal python install, with no pip access. So is sucks... I think ultimately I'll end up using openssl s_client. But was hoping there was something right in the API that did spat out some certificate information.

Oh 😢 you are using too complicated system at your end.

Even the VAPIX documentation doesn't have much available to explain here about validity of 802.1x certs: Certificate management API: Assign a certificate to the IEEE 802.1x configuration

You can also try to explore this Beta APIs in new Axis OS versions:

Snapshot using the device webpage's APIs calls:

[wiener-dog]

hmmm. Made me think, I'm using soap/xml calls. REST seems easier, just put together some json payloads. To this day, am not able to enable root and set password on initial deployment. Wonder if I can do it with a REST call? Will be deploying a ton more cameras in next 6 months. Want it fully automated...

Life is like a box of chocolates