Expiration Alert Operations

Expiration alerts are based on certificate collections. Before you can work with expiration alerts, you need to have created a certificate collectionClosed The certificate search function allows you to query the Keyfactor Command database for certificates from any available source based on any criteria of the certificates and save the results as a collection that will be availble in other places in the Management Portal (e.g. expiration alerts and certain reports). on which to base the alert (see Certificate Search and Collections).

Note:  Expiration alerts support using either the legacy alerting system to deliver alerts or the newer workflowClosed A workflow is a series of steps necessary to complete a process. In the context of Keyfactor Command, it refers to the workflow builder, which allows you automate event-driven tasks when a certificate is requested or revoked. system. The workflow system offers more options for injecting actions in the process than the legacy alerting system. To configure an alert to use the workflow system for alerting, toggle Use Workflows to enable the option and create a workflow for the alert (see details below).

When the alerts are run using workflow, there are two Keyfactor Command service jobs that perform this function. The first, running as scheduled for the alerts (see Configuring an Expiration Alert Schedule), gathers any expiring certificates that meet the alert criteria. The second, running every 10 minutes, takes the collected expiring certificates and generates workflow instances for each.

Refer to the following table for a complete list of the substitutable special text that can be used to customize alert messages.

Table 6: Substitutable Special Text for Expiration Alerts

Variable

Name

Description

{certemail}

Email Address in Certificate

Email address contained in the certificate, if present

{cn}

Common Name

Common name contained in the certificate

{dn}

Distinguished Name

Distinguished name contained in the certificate

{certnotbefore}

Issue Date

Validity date of the certificate

{certnotafter}

Expiration Date

Expiration date of the certificate

{issuerDN}

Issuer DN

Distinguished name of the certificate’s issuer

{locations:certstore}

Certificate Store Locations

The server and path location to the certificate store(s) where the certificate resides, if any, for certificates found in certificate stores (e.g. server1.keyexample.com – /opt/test/mystore.jks)

{principal:mail}

Principal’s Email

Email address retrieved from Active Directory of the user whose UPN is contained in the SAN field of the certificate, if present

Note:  This substitutable special text token is only supported in environments using Active Directory as an identity provider.

{principal:givenname}

Principal’s First Name

First name retrieved from Active Directory of the user whose UPN is contained in the SAN field of the certificate, if present

Note:  This substitutable special text token is only supported in environments using Active Directory as an identity provider.

{principal:sn}

Principal’s Last Name

Last name retrieved from Active Directory of the user whose UPN is contained in the SAN field of the certificate, if present

Note:  This substitutable special text token is only supported in environments using Active Directory as an identity provider.

{principal:displayname}

Principal’s Display Name

Display name retrieved from Active Directory of the user whose UPN is contained in the SAN field of the certificate, if present

Note:  This substitutable special text token is only supported in environments using Active Directory as an identity provider.

{requester}

Requester

The user account that requested the certificate from the CA, in the form DOMAIN\username

{requester:mail}

Requester’s Email

Email address retrieved from Active Directory of the user account that requested the certificate from the CA, if present

Note:  This substitutable special text token is only supported in environments using Active Directory as an identity provider.

{requester:givenname}

Requester’s First Name

First name retrieved from Active Directory of the user account that requested the certificate from the CA, if present

Note:  This substitutable special text token is only supported in environments using Active Directory as an identity provider.

{requester:sn}

Requester’s Last Name

Last name retrieved from Active Directory of the user account that requested the certificate from the CA, if present

Note:  This substitutable special text token is only supported in environments using Active Directory as an identity provider.

{requester:displayname}

Requester’s Display Name

Display name retrieved from Active Directory of the user account that requested the certificate from the CA, if present

Note:  This substitutable special text token is only supported in environments using Active Directory as an identity provider.

{careqid}

Issuing CA / Request ID

A string containing the Issuing CA name and the certificate’s Request ID from the CA

{serial}

Serial Number

The serial number of the certificate

{locations:ssl}

SSL Locations

The server location(s) where the certificate resides, if any, for certificates synchronized using SSL synchronization

{san}

Subject Alternative Name

Subject alternative name(s) contained in the certificate

{template}

Template Name

Name of the certificate template used to create the certificate

{templateshortname}

Template Short Name

Short name (often the name with no spaces) of the certificate template used to create the certificate

{thumbprint}

Thumbprint

The thumbprint (hash) of the certificate

{upn}

User Principal Name

The user principal name (UPN) contained in the subject alternative name (SAN) field of the certificate, if present (e.g. username@keyexample.com)

{metadata: Email-Contact}

Email-Contact

Example of a custom metadata field

{principal:field}

String Value from AD

Locates the object in Active Directory identified by the UPN in the certificate (if present), and substitutes the contents of the attribute named by field. For example:

  • {principal:department}
  • {principal:sAMAccountName}
  • {principal:manager}
  • {principal:co}
Note:  This substitutable special text field is partially user defined—you pick the field out of AD to include—and is therefore not available in the Insert special text dropdown; it needs to be typed manually.
Note:  This substitutable special text token is only supported in environments using Active Directory as an identity provider.

{requester:field}

String Value from AD

Locates the object in Active Directory identified by the user or computer account that requested the certificate from the CA, and substitutes the contents of the attribute named by field. For example, for users:

  • {requester:department}
  • {requester:sAMAccountName}

For computers:

  • {requester:operatingSystem}
  • {requester:location}
  • {requester:managedBy}
Note:  This substitutable special text field is partially user defined—you pick the field out of AD to include—and is therefore not available in the Insert special text dropdown; it needs to be typed manually.
Note:  This substitutable special text token is only supported in environments using Active Directory as an identity provider.