Skip to content

Set up certificate expiration notifications


Staying aware of expiring certificates is critical to protect machine identities and reduce the likelihood of certificate-related outages. TLS Protect Cloud can send certificate expiration notifications to keep you aware of what certificates are approaching expiration.

You'll start by configuring and enabling the certificate monitoring service. Once that is done, you can set up expiration notifications to be sent via email, through custom webhooks (for services like Slack), or both.

Configuring using UI or API

The steps below walk you through how to set up the certificate monitoring service in the TLS Protect Cloud UI, and then how to set up email notifications.

For information on setting up the certificate monitoring service via API and creating webhooks, see our guide on Dev Central.

Step 1: Enable and configure certificate monitoring

The first step in setting up certificate expiration notifications is to configure and enable the certificate monitoring service.

  1. Sign in to Venafi Control Plane.
  2. Click Policies > Certificate Lifecycle.
  3. Click Certificate Expiration Notification Policy.

    Monitoring already configured?

    If your organization previously configured the certificate monitoring service via the API, that configuration will be shown in the UI. If no changes are needed, you can proceed to set up email notifications or webhooks.

  4. Set the Certificate Expiration Monitoring settings according to the following guidelines.


    The settings in this section apply to all monitored applications regardless of whether the notifications will be sent via webhooks or emails.

    Field Description
    Certificate Expiration Monitoring Slide to enable or disable certificate expiration monitoring. This must be enabled in order for notifications to be sent.
    Certificate expiration thresholds

    Set the number of days before a certificate's expiration date that notifications should be sent. You can set one to three values.

    A notification will be generated for a certificate if its expiration is between any of the thresholds and the notification for that threshold has not yet been sent for that certificate.


    Only one notification is sent for each certificate, per threshold.

    Applications to monitor

    Select whether you want to monitor all applications or specific applications. If you're monitoring specific applications, then select those applications from the drop-down menu.


    • If you enable webhook notifications for specific applications, those applications must be monitored. Notifications aren't sent for applications that aren't monitored.

    • Selecting specific applications is suggested only when sending on-demand notifications for those applications. Because of the possible downstream effects on webhooks, we strongly recommend the default setting for monitoring all applications.

    Monitor certificates that are not assigned to any application Select this checkbox to receive notifications for expiring certificates that aren't assigned to an application.
  5. Click Save.

Now that expiration monitoring is enabled, you can enable expiration notifications by following the directions in the next step.

Step 2: Enable notifications

With certificate monitoring enabled and configured, you can now configure expiration notifications. These notifications can be sent through email, custom webhooks, or both.

For information on setting up custom webhooks, see our guide in Dev Central. To set up email notifications, follow these steps:

  1. Click Inventory > Certificates.
  2. Click Certificate Expiration Notification Policy.
  3. Set the Enable email notifications settings according to the following guidelines:

    Field Description
    Enable email notifications Slide to enable or disable email notifications.
    Notification recipients

    Click the drop-down to select either Application Owner, All PKI Admins, All Admins, or any combination of those personas.

    Optionally, you can select if there are no applicable recipients for the certificate, then send the email to the PKI admin checkbox to ensure that a notification is sent even if no recipient matches the criteria.


    Selecting PKI Admins sends an email for all certificate expirations to all PKI Admins.

    Selecting Application Owner sends an email only to those who are defined as owners of the Application that the certificate is associated to.

    Additional recipients Select any additional TLS Protect Cloud users or teams that should receive the notification email.
    Include certificate details Select this checkbox to include the details of the expiring certificate in the email notification.
  4. Click Save.

  5. (Optional) Click Send Now to check that notifications are sent.

Send notifications now

After the expiration service is enabled and either email or webhook notifications are configured, notifications will be sent once per day on a set schedule. You can also send notifications on-demand by clicking the Send Now button.