Warn When TLS Certificates Are Close to Expiration #1385
Description
Story Description:
Currently, TLS certificates configured for CQL, JMX, and the web server are validated only when the connection is established. In long-running deployments, sessions may remain active even after the certificate has expired. This creates an operational visibility gap, as certificate expiration may not be detected until a restart or a new connection attempt occurs.
The proposed improvement is to add certificate expiration validation at startup (or certificate load time) and generate log messages when a certificate is close to expiration or already expired. This change is intended to improve operational awareness without modifying existing connection behavior.
Suggested implementation area
The change would likely be implemented where TLS contexts or keystores are loaded and initialized, such as:
- Security configuration loading (security.yml)
- SSL context / keystore initialization for CQL and JMX connections
- Web server TLS configuration in application.yml
The implementation should:
- Read the certificate validity period (NotAfter)
- Compare it with the current system time
- Log warnings or errors accordingly
This proposal is related to the secure connections discussion (#785).
Acceptance Criteria:
When a configured TLS certificate will expire within 14 days, a WARN log is generated indicating the expiration date and the affected connection type (CQL, JMX, or Web).
If a configured TLS certificate is already expired at startup or load time, an ERROR log is generated.
Certificate validation is performed during application startup or when TLS configuration is initialized.
The change does not modify connection, authentication, or session behavior (logging only).
The feature applies to all TLS-enabled components (CQL, JMX, Web).
Definition of Done:
- Certificate expiration checks implemented and logging added.
- Unit test (or integration test if applicable) validates warning and error scenarios.
- No changes to existing configuration schema.
- No breaking changes to current behavior.
- Code follows project logging and style conventions.
- Documentation updated if necessary (logging behavior description).
Notes:
This enhancement improves operational safety for long-running VM or container deployments by allowing operators to detect upcoming certificate expiration and plan rotation proactively. No runtime configuration changes are proposed for the initial implementation.
I would be happy to contribute an implementation if this proposal is accepted.