Expiration Alert Operations

Expiration alerts are based on certificate collections. Before you can work with expiration alerts, you need to have created a certificate collectionClosed The certificate search function allows you to query the Keyfactor Command database for certificates from any available source based on any criteria of the certificates and save the results as a collection that will be availble in other places in the Management Portal (e.g. expiration alerts and certain reports). on which to base the alert (see Certificate Search and Collections).

Note:  Expiration alerts support using either the legacy alerting system to deliver alerts or the newer workflowClosed A workflow is a series of steps necessary to complete a process. In Keyfactor Command, it refers to the workflow builder, which allows you to automate event-driven tasks such as when a certificate is requested, revoked or found in a certificate store. system. The workflow system offers more options for injecting actions in the process than the legacy alerting system. To configure an alert to use the workflow system for alerting, toggle Use Workflows to enable the option and create a workflow for the alert (see details below).

When the alerts are run using workflow, there are two Keyfactor Command service jobs that perform this function. The first, running as scheduled for the alerts (see Configuring an Expiration Alert Schedule), gathers any expiring certificates that meet the alert criteria. The second, running every 10 minutes, takes the collected expiring certificates and generates workflow instances for each.

  1. In the Management Portal, browse to Alerts > Expiration.
  2. On the Expiration Alerts page, click Add from the top menu to create a new alert, or Edit from either the top or right click menu, to modify an existing one (which will allow you to access the workflow configuration when editing).

  3. In the Certificate Expiration Alert Settings dialog, select your Certificate Collection in the first dropdown.

  4. In the Timeframe fields, select the warning timeframe by defining a number for either days, weeks, or months for the alert. For example, if you select three weeks, the expiration alerts will be sent automatically three weeks ahead of certificate expiration.

    Note:  When the alert is stored in the database, weeks are converted to 7 days and months are converted to 30 days.
    Example:  When alerts run, the legacy alerting system or workflow reports on all the certificates expiring within the next X days (e.g. 30 days) from the execution time that have not previously been reported on. This means that if the alerts run daily and have been running daily regularly for some time, only a single day of expiring certificates will be reported on by any given alert run.

    For example, say you create a new alert that has never run before for collection A and set it to 30 days. You configure it to run daily at 5:00 am. The alert runs for the first time at 5:00 am on July 1st. All the certificates in collection A that will expire between July 1st at 12:00 am UTC and July 31 at 12:00 am UTC will be alerted on. The next day when the alert runs again at 5:00 am on July 2nd, the certificates in collection A expiring between July 31st at 12:00 am UTC and August 1st at 12:00 am UTC will be alerted on.

    If alerts are missed for a period of time (due to an outage, for example), the next run of the alerts will check the previous successful run date for the alerts and report on certificates expiring X days from that outage window. For example, using the collection A alert referenced above, say an outage caused the alerts not to run on August 1 and August 2. On August 3, the alert would run again at 5:00 am, and the certificates in collection A expiring between August 30th at 12:00 am UTC and September 2nd at 12:00 am UTC would be alerted on.

  5. In the Display Name field, enter a name for the alert. This name appears in the list of expiration alerts in the Management Portal.

  6. To use workflow to deliver the alerts, leave the Use Workflows toggle enabled. To use the legacy alerting system to deliver the alerts, toggle the Use Workflows to disabled.

    Note:  The Configure Workflow button will be grayed out on new alerts until the new alert is saved. Configuring workflow on an existing alert may be done from the Edit or Configure Workflow action buttons.

    Figure 139: Create an Expiration Alert with Use Workflows Enabled

  7. If you toggled the Use Workflows option to disabled, you will see the Subject field. Enter a subject line for the email message that will be delivered when the alert is triggered. You can use substitutable special text in the subject line. Substitutable special text uses a variable in the alert definition that is replaced by data from the certificate or certificate metadataClosed Metadata provides information about a piece of data. It is used to summarize basic information about data, which can make working with the data easier. In Keyfactor Command, the certificate metadata feature allows you to create custom metadata fields that allow you to tag certificates with tracking information about certificates. at processing time. For example, you can enter {cnClosed A common name (CN) is the component of a distinguished name (DN) that represents the primary name of the object. The value varies depending on the type of object. For a user object, this would be the user's name (e.g. CN=John Smith). For SSL certificates, the CN is typically the fully qualified domain name (FQDN) of the host where the SSL certificate will reside (e.g. servername.keyexample.com or www.keyexample.com).} in the alert definition and each alert generated at processing time will contain the specific common nameClosed A common name (CN) is the component of a distinguished name (DN) that represents the primary name of the object. The value varies depending on the type of object. For a user object, this would be the user's name (e.g. CN=John Smith). For SSL certificates, the CN is typically the fully qualified domain name (FQDN) of the host where the SSL certificate will reside (e.g. servername.keyexample.com or www.keyexample.com). of the given certificate instead of the variable {cn}.

    To add substitutable special text to the subject line; place your cursor where you would like the text to appear on the subject line, select the appropriate variable from the Insert special text dropdown, and click Insert. Alternately, type the special text variable enclosed in curly braces (e.g. {cn}).

  8. If you toggled the Use Workflows option to disabled, you will see the Message box. Enter the body of the email message that will be delivered when the alert is triggered. You can use the Insert special text dropdown below the message window to add substitutable special text to the message. The metadata that appears in the dropdown will depend upon the custom metadata you have defined (see Certificate Metadata). Place your cursor where you would like the text to appear, select the appropriate variable from the dropdown, and click Insert. Alternately, you can type the special text variable enclosed in curly braces directly. In addition to the substitutable special text fields available in the dropdown, you can also build your own substitutable fields for the principal and/or requester based on string values from the user or computer Active Directory record. See Table 10: Substitutable Special Text for Expiration Alerts. If desired, you can format the message body using HTML. For example, you could place certificate detail information into a table by replacing this text:

    DNClosed A distinguished name (DN) is the name that uniquely identifies an object in a directory. In the context of Keyfactor Command, this directory is generally Active Directory. A DN is made up of attribute=value pairs, separated by commas. Any of the attributes defined in the directory schema can be used to make up a DN.: {dn}
    CN: {cn}
    Thumbprint: {thumbprint}
    Serial Number: {serial}

    With this HTML code:

    <table>
    <tr><td>DN:</td><td>{dn}</td></tr>
    <tr><td>CN:</td><td>{cn}</td></tr>
    <tr><td>UPN:</td><td>{upn}</td></tr>
    <tr><td>Thumbprint:</td><td>{thumbprint}</td></tr>
    <tr><td>Serial Number:</td><td>{serial}</td></tr>
    </table>

    Figure 140: Create an Expiration Alert with Workflows Disabled

  9. If you toggled the Use Workflows option to disabled, you will see the Use handler box. If you would like the alert to trigger an event handler at processing time, select the appropriate handler in the dropdown, and click the Configure button to configure the event handler. See Adding Logging Handlers to Alerts for information on using event logging handlers, Adding Renewal Handlers to Expiration Alerts for information on using renewal handlers.

    Tip:  With workflows, the equivalent functionality to the handlers can be achieved using either Set Variable Data or Use Custom PowerShell steps. See the examples for Write to Windows Event Log with Expiration Workflow, Renewal and Email Notification on Approaching Certificate Expiration, and Update Additional Enrollment Field on Enrollment.

  10. If you toggled the Use Workflows option to disabled, you will see the Recipients section of the page. Click Add to add a recipient to the alert. Each alert can have multiple recipients. Recipients should be added one at a time. You can enter specific email addresses and/or use substitutable special text to replace an email address variable with actual email addresses at processing time. The built-in variable can be selected in the Recipient dialog Use a variable from the certificate dropdown. In addition, you can type a special text variable enclosed in curly braces in the Email field if you have, for example, a metadata field that contains an email address.

    Keyfactor Command sends SMS (text) messages by leveraging the email to text gateways that many major mobile carriers provide. Check with your carrier for specific instructions. Keyfactor has tested that AT&T can be addressed using 10-digit-number@txt.att.net (e.g. 4155551212@txt.att.net) and Verizon can be addressed using 10-digit-number@vtext.com (e.g. 2125551212@vtext.com). T-Mobile can be addressed using 10-digit-number@tmomail.net (e.g. 2065551212@tmomail.net), but functionality can be spotty. Reliability of alerting via this method depends on the reliability of the carrier’s gateways.

    Figure 141: Expiration Alerts Recipients

  11. Click Save to save your expiration alert.

    If you enabled the Use Workflow option and are saving an alert that does not have a matching workflow, you will receive a notification indicating that a workflow needs to be created to match the alert. When you click OK to the notification, you will be redirected to a workflow configuration page with a new workflow open and pre-populated with the Name, Type, and Expiration Alert (key) appropriate to the alert you have saved.

    Figure 142: Workflow Required for Alert Notice

    Figure 143: Workflow Pre-Populated for Expiration Alert

  12. In the Add/Edit Workflow Definition dialog on the Definition tab, enter a Description for your workflow.
  13. On the Workflow Configuration page, add a new step of type Send Email (see Adding, Copying or Modifying a Workflow Definition) with appropriate subject, message, and recipients for your expiration alert.
  14. If desired, add other steps to the workflow for other functionality such as event logging (see the example Write to Windows Event Log with Expiration Workflow) or certificate renewal (see the example Renewal and Email Notification on Approaching Certificate Expiration).

For alerts that use workflow, you can open the associated workflow for the alert using the Configure Workflow option.

  1. In the Management Portal, browse to Alerts > Expiration.
  2. On the Expiration Alerts page, highlight a row in the alerts grid and click Configure Workflow from the grid header or right-click menu.
  3. You will be redirected to the workflow workspace for the workflow associated with the selected alert. If a workflow does not exist for the selected alert, one will be created and pre-populated with the Name, Type, and Expiration Alert (key) of the selected alert. Edit the workflow as needed (see Adding, Copying or Modifying a Workflow Definition).
Note:  This option will not appear in the right-click menu and will be grayed out in the grid header for alerts that do not use workflow.

You may delete one expiration alert at a time.

  1. In the Management Portal, browse to Alerts > Expiration.
  2. On the Expiration Alerts page, highlight the row in the Expiration Alerts grid and click Delete at the top of the grid, or from the right click menu.
  3. On the Confirm Operation alert, click OK to confirm or Cancel to cancel the operation.

You may use the copy operation to create multiple similar alerts—for example, several alerts for the same certificate collection but with different warning timeframes.

  1. In the Management Portal, browse to Alerts > Expiration.
  2. On the Expiration Alerts page, highlight the row in the expiration alerts grid and click Copy at the top of the grid, or from the right click menu.
  3. The Certificate Expiration Alert Settings dialog will pop-up with the details from the selected alert. The display name field will have - Copy tagged to the end of it to indicate it is a new alert. You may modify the alert as needed and click Save to add the new alert, or Cancel to cancel the operation.

After adding your desired Certificate Expiration Alerts, you may configure an alert schedule. This schedule applies both to alerts run with workflow and alerts run with the legacy alerting system.

  1. In the Management Portal, browse to Alerts > Expiration.
  2. On the Expiration Alerts page, click the Configure button at the top of the Expiration Alerts page to configure a monitoring execution schedule. This will apply for all the expiration alerts. This type of alert is scheduled for Daily delivery at a specified time. Select Off to stop the alerts.
Example:  When alerts run, the legacy alerting system or workflow reports on all the certificates expiring within the next X days (e.g. 30 days) from the execution time that have not previously been reported on. This means that if the alerts run daily and have been running daily regularly for some time, only a single day of expiring certificates will be reported on by any given alert run.

For example, say you create a new alert that has never run before for collection A and set it to 30 days. You configure it to run daily at 5:00 am. The alert runs for the first time at 5:00 am on July 1st. All the certificates in collection A that will expire between July 1st at 12:00 am UTC and July 31 at 12:00 am UTC will be alerted on. The next day when the alert runs again at 5:00 am on July 2nd, the certificates in collection A expiring between July 31st at 12:00 am UTC and August 1st at 12:00 am UTC will be alerted on.

If alerts are missed for a period of time (due to an outage, for example), the next run of the alerts will check the previous successful run date for the alerts and report on certificates expiring X days from that outage window. For example, using the collection A alert referenced above, say an outage caused the alerts not to run on August 1 and August 2. On August 3, the alert would run again at 5:00 am, and the certificates in collection A expiring between August 30th at 12:00 am UTC and September 2nd at 12:00 am UTC would be alerted on.

Figure 144: Expiration Alert Schedule

Once the alerts are configured, you may run a test of all, or selected, alerts to see if they are configured correctly.

  1. In the Management Portal, browse to Alerts > Expiration.
  2. On the Expiration Alerts page, select an expiration alert in the grid and click Test from the top of the grid or the right-click menu.

  3. In the Expiration Alert Test dialog, select a Start Date and End Date for the test period. This would be the period however many days, weeks or months prior to when the certificate are reaching expiration is configured in your alert. For example, if your alert is configured to notify 1 week before expiration and you wanted to simulate an automated run of the alerts today, you would select a date range of yesterday through today and the results would be certificates expiring 1 week from today.

    Example:  Say you had experienced an outage and alerts that normally run daily at 5:00 pm did not run for two days. You wanted to test to see what to expect of the alerts once the system was up and running again. You are running your test on August 3rd for an alert that's configured to report at 30 days for collection A. The alert last ran on July 31. This means the alert has a Previous Evaluation Date of July 31. When running your test, set the Start Date to July 31st to match and set the End Date to the current date, August 2nd in this example, to simulate the results when the alerts are run today. The test results will include up to 100 certificates in collection A expiring between August 30th at 12:00 am UTC and September 1st at 12:00 am UTC.

  4. In the Expiration Alert Test: Select Targets dialog, select one or more certificates for testing. For alerts that do not use workflow, enable the Send Emails option if you would like to deliver email messages as part of the test. Alerts that do use workflow will generate workflow instances for each selected certificate.

    Note:  You may see fewer certificates than you have certificates expiring in the selected time window for the certificate collection if you enabled one of the options to ignore duplicate certificates on the certificate collection (see Saving Search Criteria as a Collection).
    Tip:  If no certificates appear in the grid for testing, this indicates no certificates were found matching the criteria of the alert and test period selected for testing.
  5. Click the Start Tests button to begin generating alerts. Depending on the number of users to process, this may take a few seconds.

  6. In the Expiration Alert Test: Results dialog, you can review the generated expiration alerts to confirm that the substitutable special text is being replaced as expected and the recipients are as expected. Scroll the First, Previous, Next and Last buttons at the bottom of the dialog. The number of alerts generated will display between the navigation buttons.

    Note:  The display results will vary depending on whether the alert uses workflow to deliver the alerts or the legacy alerting system.
Tip:  Alerts are generated when a certificate has expired or is approaching expiration as defined by the timeframe configured in the alert. If the expiration date is between previous evaluation date + timeframe and current evaluation date + timeframe as configured in the alert definition.

Figure 145: Expiration Alert Timeframe

Tip:  If you're using an event handler with the legacy alert system, the event handler is run and the handler actions taken (PowerShell script run, event log message written, certificates renewed) when the test is run. This is true whether or not you click the Send Emails toggle.
Note:  HTML does not render in the alert viewer.

Figure 146: Expiration Alert Test Results With and Without Workflow

Refer to the following table for a complete list of the substitutable special text that can be used to customize alert messages.

Table 10: Substitutable Special Text for Expiration Alerts

Variable

 Name

Description

{certemail}

Email Address in Certificate

Email address contained in the certificate, if present

{cn}

Common Name

Common name contained in the certificate

{dn}

Distinguished Name

Distinguished name contained in the certificate

{certnotbefore}

Issue Date

Validity date of the certificate

{certnotafter}

Expiration Date

Expiration date of the certificate

{issuerDN}

Issuer DN

Distinguished name of the certificate’s issuer

{locations:certstore}

Certificate Store Locations

The server and path location to the certificate store(s) where the certificate resides, if any, for certificates found in certificate stores (e.g. server1.keyexample.com – /opt/test/mystore.jks)

{requester}

Requester

The user account that requested the certificate from the CA, in the form DOMAIN\username

{careqid}

Issuing CA / Request ID

A string containing the Issuing CA name and the certificate’s Request ID from the CA

{serial}

Serial Number

The serial number of the certificate

{locations:ssl}

SSL Locations

The server location(s) where the certificate resides, if any, for certificates synchronized using SSL synchronization

{san}

Subject Alternative Name

Subject alternative name(s) contained in the certificate

{template}

Template Name

Name of the certificate template used to create the certificate

{templateshortname}

Template Short Name

Short name (often the name with no spaces) of the certificate template used to create the certificate

{thumbprint}

Thumbprint

The thumbprint (hash) of the certificate

{metadata: Email-Contact}

Email-Contact

Example of a custom metadata field