Auto-Tidy Disabled

Take the necessary steps to ensure that vHSM’s auto-tidy functionality is enabled, allowing for efficient and regular cleanup of revoked certificates, expired certificate data, and related resources.

This health check ensures that vHSM’s auto-tidy functionality is enabled with appropriate settings to clean up revoked certificates, expired cert data, and related resources regularly and efficiently.

Health Check Name: enable_auto_tidy

Accessed APIs

Method
Endpoint
Description

READ

/config/auto-tidy

Retrieves the auto-tidy configuration.

Configuration Parameters

Parameter
Default Value
Description

interval_duration_critical

7d

Maximum interval duration allowed before marking status as Critical.

interval_duration_warning

2d

Maximum interval duration allowed before marking status as Warning.

pause_duration_critical

1s

Maximum pause duration allowed before marking status as Critical.

pause_duration_warning

200ms

Maximum pause duration allowed before marking status as Warning.

Health Check Description

This health check verifies:

  • Whether auto-tidy is enabled.

  • Whether interval_duration and pause_duration are set within best-practice thresholds.

Health Check results

Status Outcome
Description

Informational

Auto-tidy is disabled. This is a best practice recommendation but not mandatory.

Warning / Critical

interval_duration or pause_duration values exceed the defined thresholds, potentially impacting performance or certificate lifecycle management.

To remediate warnings or critical statuses and enable optimal certificate lifecycle management:

Note: Replace <mount> with your actual secrets engine mount path.

Enable Auto-Tidy with Recommended Defaults

vhsm write <mount>/config/auto-tidy \
  enabled=true \
  tidy_cert_store=true \
  tidy_revoked_certs=true \
  tidy_acme=true \
  tidy_revocation_queue=true \
  tidy_cross_cluster_revoked_certs=true \
  tidy_revoked_cert_issuer_associations=true

Last updated

Was this helpful?