Expiration Alert Operations

Expiration alerts are based on certificate collections. Before you can work with expiration alerts, you need to have created a certificate collectionClosed The certificate search function allows you to query the Keyfactor Command database for certificates from any available source based on any criteria of the certificates and save the results as a collection that will be availble in other places in the Management Portal (e.g. expiration alerts and certain reports). on which to base the alert (see Certificate Search and Collections).

Refer to the following table for a complete list of the substitutable special text that can be used to customize alert messages.

Table 9: Substitutable Special Text for Expiration Alerts

Variable

Name

Description

{certemail}

Email Address in Certificate

Email address contained in the certificate, if present

{cn}

Common Name

Common name contained in the certificate

{dn}

Distinguished Name

Distinguished name contained in the certificate

{certnotbefore}

Issue Date

Validity date of the certificate

{certnotafter}

Expiration Date

Expiration date of the certificate

{issuerDN}

Issuer DN

Distinguished name of the certificate’s issuer

{locations:certstore}

Certificate Store Locations

The server and path location to the certificate store(s) where the certificate resides, if any, for certificates found in certificate stores (e.g. server1.keyexample.com – /opt/test/mystore.jks)

{principal:mail}

Principal’s Email

Email address retrieved from Active Directory of the user whose UPN is contained in the SANClosed The subject alternative name (SAN) is an extension to the X.509 specification that allows you to specify additional values when enrolling for a digital certificate. A variety of SAN formats are supported, with DNS name being the most common. field of the certificate, if present

{principal:givenname}

Principal’s First Name

First name retrieved from Active Directory of the user whose UPN is contained in the SAN field of the certificate, if present

{principal:sn}

Principal’s Last Name

Last name retrieved from Active Directory of the user whose UPN is contained in the SAN field of the certificate, if present

{principal:displayname}

Principal’s Display Name

Display name retrieved from Active Directory of the user whose UPN is contained in the SAN field of the certificate, if present

{requester}

Requester

The user account that requested the certificate from the CAClosed A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA., in the form "DOMAIN\username"

{requester:mail}

Requester’s Email

Email address retrieved from Active Directory of the user account that requested the certificate from the CA, if present

{requester:givenname}

Requester’s First Name

First name retrieved from Active Directory of the user account that requested the certificate from the CA, if present

{requester:sn}

Requester’s Last Name

Last name retrieved from Active Directory of the user account that requested the certificate from the CA, if present

{requester:displayname}

Requester’s Display Name

Display name retrieved from Active Directory of the user account that requested the certificate from the CA, if present

{careqid}

Issuing CA / Request ID

A string containing the Issuing CA name and the certificate’s Request ID from the CA

{serial}

Serial Number

The serial number of the certificate

{locations:ssl}

SSLClosed TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols for establishing authenticated and encrypted links between networked computers. Locations

The server location(s) where the certificate resides, if any, for certificates synchronized using SSL synchronization

{san}

Subject Alternative NameClosed The subject alternative name (SAN) is an extension to the X.509 specification that allows you to specify additional values when enrolling for a digital certificate. A variety of SAN formats are supported, with DNS name being the most common.

Subject alternative name(s) contained in the certificate

{templateClosed A certificate template defines the policies and rules that a CA uses when a request for a certificate is received.}

Template Name

Name of the certificate template used to create the certificate

{templateshortname}

Template Short Name

Short name (often the name with no spaces) of the certificate template used to create the certificate

{thumbprint}

Thumbprint

The thumbprint (hash) of the certificate

{upn}

User Principal Name

The user principal name (UPN) contained in the subject alternative name (SAN) field of the certificate, if present (e.g. "username@keyexample.com")

{metadata: Email-Contact}

Email-Contact

Example of a custom metadata field

{principal:field}

String Value from AD

Locates the object in Active Directory identified by the UPN in the certificate (if present), and substitutes the contents of the attribute named by "field". For example:

  • {principal:department}
  • {principal:sAMAccountName}
  • {principal:manager}
  • {principal:co}
Note:  This substitutable special text field is partially user defined—you pick the field out of AD to include—and is therefore not available in the Insert special text dropdown; it needs to be typed manually.

{requester:field}

String Value from AD

Locates the object in Active Directory identified by the user or computer account that requested the certificate from the CA, and substitutes the contents of the attribute named by "field". For example, for users:

  • {requester:department}
  • {requester:sAMAccountName}

For computers:

  • {requester:operatingSystem}
  • {requester:location}
  • {requester:managedBy}
Note:  This substitutable special text field is partially user defined—you pick the field out of AD to include—and is therefore not available in the Insert special text dropdown; it needs to be typed manually.