Managing Certificate Expiration Alerts

Learn how to manage Alerts and notification emails relating to certificate expiration.

Table of Contents

• Overview
• Expiration of Trusted CA Certificates (certificates in the Trust Store)
• Expiration of User Certificates
  • Role of Organizational Email in User Certificate notifications

Overview

The Akana platform generates alerts when certificates are getting close to their expiration dates or have expired.

The scheduled jobs that generate alerts, and the alerts that are generated, are different for the two categories of certificates:

• Trusted CA Certificates (certificates in the Trust Store)
• User certificates (includes listener certificates)

When a scheduled job finds that a certificate has expired, or will expire soon, an Alert is generated in Policy Manager. You can also configure an email notification.

The timing and frequency of the scheduled job, the alert code, and the email notification content vary according to the type of certificate. For details, see the sections below.

Expiration of Trusted CA Certificates (certificates in the Trust Store)

Policy Manager checks for expiration of Trusted CA Certificates, and generates an Alert if needed.

Generating an Alert when a Trusted CA Certificate is expiring is associated with the following Policy Manager scheduled job: trusted.certs.expiration.checker.job.

This job runs monthly, at 3:15AM on the 15th of the month.

The job checks Trusted CA Certificates for expiration.

If this job finds one or more certificates that will expire within 100 days, the following alert is generated in Policy Manager (Minor):

Code 508005: Trusted Certificate will expire soon.

If a certificate expires, the following alert is generated immediately in Policy Manage (Normal):

Code 508004: Trusted Certificate has expired.

The Alert code and message are displayed in the Policy Manager Workbench, Alerts section.

You can configure an email group (see Create Email Groups for Alerts) and then configuring the Alert code to send an email when the Alert is generated (see Using Alert Codes).

If the Alert is also linked to an email group, the email is sent to the target group. This is managed by a different scheduled job: am.fetch.alerts.for.dispatch.job. This job runs every 30 seconds and processes alert data in the queue.

Expiration of User Certificates

Policy Manager checks for expiration of user certificates, and generates an Alert if needed.

Generating an Alert when a user certificate is expiring is associated with the following Policy Manager scheduled job: user.certs.expiration.checker.job. This job runs daily at 2:15am.

The job checks user certificates for expiration, and the following Alert is generated:

• 508007 - User certificate will expire soon

The Alert code and message are displayed in the Policy Manager Workbench, Alerts section.

You can configure the platform to send an email notification when a user certificate is expiring:

• By configuring a custom email that is sent to the individual user. For details, see User Certificate Renewal.
• By configuring an organizational contact. See To set up an organization contact for email notifications.
• By configuring an email group (see Using Email Groups) and then configuring the Alert code to send an email when the Alert is generated (see Using Alert Codes).

  If the Alert is linked to an email group, the email is sent to the target group. However, this is managed by a different scheduled job: am.fetch.alerts.for.dispatch.job. This job runs every 30 seconds and processes alert data in the queue.

Role of Organizational Email in User Certificate notifications

In Policy Manager, you can configure one or more organizational contacts to whom certain notifications can be sent.

In the case of user certificate expiration, when the user.certs.expiration.checker.job scheduled job finds a certificate that is about to expire, an email notification is sent, as follows:

• If the user email details are configured on the User Certificate Renewal page, a notification is sent to the user email.
• If the organization contact is configured, a notification is sent to the organization contact. See To set up an organization contact below.
• If both are configured, notifications are sent to both.
• If neither is configured, no notification is sent.

To set up an organization contact for email notifications

Tip: When adding a contact, for Use type you can use the Primary keyword. Each root item in the Registry tree has a Contacts tab; contacts can be configured at different levels.

1. Log in to Policy Manager.
2. On the left, under the Organization Tree, go to API Platform Tenants and choose the tenant.
3. On the right, click the Contacts tab and then click Add Contact, as shown below.

   

4. Enter the contact details and click Apply. Additional tabs are enabled for the contact so that you can add contact information: Emails, Phones, and Addresses.
5. Add contact information as needed and save.

Related Topics