Skip to content

Set up certificate expiration notifications

Introduction

Staying aware of expiring certificates is critical to protect machine identities and reduce the likelihood of certificate-related outages. TLS Protect Cloud can send certificate expiration notifications to keep you aware of what certificates are approaching expiration.

All certificate expiration notifications rely on the certificate monitoring service, regardless of the delivery channel. Any changes to this configuration apply to all delivery channels.

Configuring and enabling the service is the first step in setting up certificate expiration notifications. Once it's set up, you can use the Notification Center to configure email notifications or use our API to configure webhook notifications.

Step 1: Enable and configure the certificate monitoring service

The first step in setting up certificate expiration notifications is to configure and enable the certificate monitoring service.

  1. Sign in to Venafi Control Plane.
  2. Click Policies > Certificate Lifecycle.

  3. Click Certificate Expiration Notification Policy.

    Monitoring already configured?

    If your organization previously configured the certificate monitoring service, make sure your policy settings include all three notification thresholds.

    If you have an existing configuration for the policy that monitors specific applications and have a notification configured, then make sure you have new notifications that match the criteria, otherwise you might stop receiving expected notifications.

    Ideally, you should monitor all applications in the policy, and use filters on the notifications to remove any unneeded applications.

    Next, you can proceed to set up email notifications or webhooks.

  4. Set the Certificate Inventory Monitoring settings according to the following guidelines.

    Important

    The settings in this section apply to all monitored applications regardless the notifications method.

    Field Description
    Certificate Inventory Monitoring Turn on Certificate Inventory Monitoring. When this setting is off, TLS Protect Cloud doesn't send any notifications.
    Certificate expiration thresholds

    TLS Protect Cloud provides three Notification rule thresholds. Each threshold specifies the number of days before a certificate expires that a notification is sent. You must configure all three thresholds.

    For each threshold, specify how many days in advance of a certificate’s expiration TLS Protect Cloud should send the notification.

    Each day at a set time, the system checks the certificate inventory. If a certificate’s expiration date matches a threshold and a notification hasn’t already been sent for that threshold, the system sends a notification.

    Applications to monitor

    Ideally, you will monitor all applications. You can, however only monitor specific application if you select them from the drop-down menu.

    Important

    • Notifications aren't sent for applications that aren't monitored. If you plan to enable Email or webhook notifications for specific applications, be sure to monitor those applications.

    • Only select specific applications when sending on-demand notifications for those applications. Because of the possible downstream effects on webhooks and Email notifications, in most scenarios you should use the default settings for monitoring all applications.

    Monitor certificates that aren't assigned to any application Select this checkbox to receive notifications for expiring certificates that aren't assigned to an application. Unless you have a specific business need, you should select this option.

Once you've turned on and configured certificate monitoring, the next step is turning on and configuring email notifications, as outlined in the steps below. If you are continuing on from this section, you don't need to do the first two steps in the next section.

Step 2: Enable notification channels

With the certificate monitoring service configured, you're ready to set up notification channels.

TLS Protect Cloud currently offers several ways to receive certificate expiration notifications:

Email notifications

You can choose between two types of email notifications:

  • Notification Center (recommended): Use Notification Center to create notifications based on specific filter criteria from the certificate monitoring service. This option provides the most flexibility to help ensure you receive only the notifications you need. See Creating new notifications for steps.

  • Traditional email notifications: This option sends an email for every certificate that matches the criteria defined in the certificate monitoring service. See Setting up traditional email notifications below.

Webhook notifications

Webhook notifications let you send certificate expiration notifications to tools such as Slack or Microsoft Teams. Setting up these channels requires using our API. For instructions, see the webhook guide on Dev Central.

Setting up traditional email notifications

To set up traditional email notifications, follow these steps:

  1. Click Policies > Certificate Lifecycle.

  2. Click Certificate Expiration Notification Policy.

  3. Set the Email notifications settings according to the following guidelines:

    Field Description
    Email notifications Slide to enable or disable email notifications.
    Notification recipients

    Click the drop-down to select either Application Owner, All PKI Admins, All Admins, or any combination of those personas.

    Optionally, you can select if there are no applicable recipients for the certificate, then send the email to the PKI admin checkbox to ensure that a notification is sent even if no recipient matches the criteria.

    Note

    Selecting PKI Admins sends an email for all certificate expiration events to all PKI Admins.

    Selecting Application Owner sends an email only to those defined as owners of the Application associated with the certificate.

    Additional recipients Select any additional TLS Protect Cloud users or teams that should receive the notification email.
    Include certificate details Select this checkbox to include the details of the expiring certificate in the email notification.
  4. Click Save.

  5. (Optional) Click Send Now to trigger an immediate inventory, which will send any new notifications, since the last inventory run.

Send notifications now

After you enable the expiration service and you configure either email or webhook notifications, TLS Protect Cloud automatically reviews the certificate inventory once daily and sends new notifications. To trigger the review immediately, and send any new notifications based on your new configuration settings, click Send Now.

Before you send email notifications, ensure your notifications are correctly configured in the Notification Center. If your Notification Center settings aren't configured, TLS Protect Cloud can't send them.