Managing Certificate Expiration Alerts
Learn how to manage Alerts and notification emails relating to certificate expiration.
Table of Contents
- Overview
- Expiration of Trusted CA Certificates (certificates in the Trust Store)
- Expiration of User Certificates
Overview
The Akana platform generates alerts when certificates are getting close to their expiration dates or have expired.
The scheduled jobs that generate alerts, and the alerts that are generated, are different for the two categories of certificates:
- Trusted CA Certificates (certificates in the Trust Store)
- User certificates (includes listener certificates)
When a scheduled job finds that a certificate has expired, or will expire soon, an Alert is generated in Policy Manager. You can also configure an email notification.
The timing and frequency of the scheduled job, the alert code, and the email notification content vary according to the type of certificate.
Expiration of Trusted CA Certificates (certificates in the Trust Store)
Policy Manager checks for expiration of Trusted CA Certificates, and generates an Alert if needed.
Generating an Alert when a Trusted CA Certificate is expiring is associated with the following Policy Manager scheduled job: trusted.certs.expiration.checker.job.
This job can be configured to run daily or weekly on any day of the week.
The job checks Trusted CA Certificates for expiration.
-
Code 508005 - Trusted Certificate will expire soon
-
Code 508004 - Trusted Certificate has expired
The Alert code and message are displayed in the Policy Manager Workbench, Alerts section.
You can configure an email group (see Create Email Groups for Alerts) and then configuring the Alert code to send an email when the Alert is generated (see Using Alert Codes).
If the Alert is also linked to an email group, the email is sent to the target group. This is managed by a different scheduled job: am.fetch.alerts.for.dispatch.job. This job runs every 30 seconds and processes alert data in the queue.
Expiration of User Certificates
Policy Manager checks for expiration of user certificates, and generates an Alert if needed.
Generating an Alert when a user certificate is expiring is associated with the following Policy Manager scheduled job: user.certs.expiration.checker.job. This job runs daily.
The job checks user certificates for expiration, and the following Alert is generated:
-
Code 508006 - User certificate has expired
-
Code 508007 - User certificate will expire soon
The Alert code and message are displayed in the Policy Manager Workbench, Alerts section.
You can configure the platform to send an email notification when a user certificate is expiring:
- By configuring a custom email that is sent to the individual user. For details, see Certificate Renewal.
- By configuring an email group (see Using Email Groups) and then configuring the Alert code to send an email when the Alert is generated (see Using Alert Codes).
The default email group "Certificate Manager Email Group - System Generated" is created for trusted and user certificates if the email groups are not configured.
If the Alert is linked to an email group, the email is sent to the target group. However, this is managed by a different scheduled job: am.fetch.alerts.for.dispatch.job. This job runs every 30 seconds and processes alert data in the queue.