Configuring a Certificate Expiry Alert

Prerequisites:

Before configuring certificate expiry alerts over emails, ensure that permissions to create and modify the expiry alerts are assigned to the required role(s). To do this, follow the instructions given here and enable Expiry Alerts under Authorized Functions > KUBE+.

To configure a certificate expiry alert:

  1. Go to Menu > KUBE+ > ALERTS & LOGS > Expiry Alerts.
    The expiry alerts inventory is displayed.
  2. To create a new email expiry alert, click + Create.
    The ExpiryAlert > Expiry Alert Add page is displayed.
    Note: This page has a list of best practices you are advised to follow when creating a new expiry alert.
  3. For the new alert, enter a unique Alert Name (mandatory) and a description (optional) with additional details about the alert.
  4. In the Alert Configuration section, click + Add.
    The Add Configuration pane is displayed.
  5. Select the Filter By for which you want to configure the expiry alert.
    1. Cluster
    2. End Certificate
    3. CA Certificate
  6. For clusters, enter/select the Filter Configuration details.
    Table 1. Filter Configuration Section - Field and Description Table
    Field Description
    Cluster Name*
    Note: This field is displayed only when Filter By = Cluster or CA Certificate.
    Select the clusters from the drop-down list for which you want to configure alerts.
    Namespace*
    Note: This field is displayed only when Filter By = Cluster or CA Certificate.
    Select the corresponding namespace of the selected clusters from the drop-down list for which you want to configure alerts.
    Common Name*
    Note: This field is displayed only when Filter By = CA Certificate.
    Select the common name of the CA certificate.
    Certificate Expiry Period*
    To filter clusters based on their expiry:
    • Range in days: Select this option to send an expiry alert email for clusters that will expire in the range of number days specified. For example, to set an alert for clusters that will expire between 10 to 40 days from today, enter 10 in the field before to and enter 40 in the field after to.
    • On specified days: Select this option to send an expiry alert email for clusters that will expire after x number of days from today. For example, to send an alert for clusters expiring on the 50th day days from today, enter 50.
    • Range in dates: Select this option to send an expiry alert for all clusters expiring in a specific duration. Use the calendar widget to select the Start date and End date of this duration.
    Additional Filters
    Note: This field is not displayed when Filter By = CA Certificate.
    To add a filter in addition to the cluster expiry period:
    1. Select the required filter from the Select option dropdown list.
    2. Enter/select the corresponding value in the Type to enter value field.
    3. Click Add.
    4. The selected filter option and its value are displayed.
    Notification Method*
    Note: This field is not displayed when Filter By = CA Certificate.
    To send an expiry alert over email or Slack message, select either Email or Slack.
    Notification Format*
    Note: This field is displayed only when Notification Method = Email. (Instead of emails for individual clusters, you will now receive a notification with a bulk of certificates in your chosen format.)
    Select the notification format to be sent via email, either as an attachment or in the email body using the table format.
    • Attachment: A CSV file with details of all clusters due to expire will be attached to the alert email.
    • Email Body: A table with details of all clusters due to expire will be included in the body of the alert email.
    Ignore renewed certificate When this field is enabled, results returned after the alert is triggered will not include clusters that have already been renewed, even though they match the filter criteria.
    * - Mandatory
  7. Enter/select the Email Configuration details.
    Table 2. Email Configuration Section - Field and Description Table
    Field Description
    To*
    Recipient(s) Enter the recipient(s) email address. You can enter a maximum of 20 email addresses, separated by a comma.
    Certificate Parameter(s)
    To add more recipients for the alert email, you can retrieve email addresses from the following certificate parameters:
    • Subject Email
    • SAN (rfc822)
    • Certificate Group

    From the dropdown list, select the required parameter(s).
    Certificate Attribute(s) To add more recipients for the alert email, you can retrieve email addresses from any certificate attribute that has the email ID as its value, for example, Cert Owner. From the dropdown list, select the certificate attribute.
    CC
    Recipient(s)* Enter the email address of stakeholders who are to receive a copy of the expiry alert email.
    Email Subject
    Subject* Enter the subject line for the expiry alert email.
    Email Body
    Body* Enter the body text for the email using the following (recommended) format: The list of placeholder that can be used in the Subject <list and it’s value>

    Certificate with Common Name |Common Name|

    Serial number |Serial Number|

    issued by |Issuer Common Name|

    is about to expire on |Valid Until|

    Note: The full list of placeholders and their corresponding values is given here.
    Certificate Parameters For Email Body* Select the certificate parameters from the drop-down menu that you want to include in the alert notification, either in the attachment or in the email body as a table. The following parameters are mandatory to be selected for the alert notification:
    • Common Name
    • Serial Number
    • Valid From
    • Valid Until
    • Leaf Count
    Certificate Attributes For Email Body* Select the user defined certificate attributes from the drop-down menu that you want to include in the alert notification, either in the attachment or in the email body as a table.
    * - Mandatory
  8. Click Add.
    The created alert is listed under the Expiry Alert page.
    Tip: To edit/delete an alert, use the Edit/Delete button, as required. You can add more alert configuration for the alert.
  9. Under Alert Execution Type:
    Note: The settings configured here will be applicable to all expiry alerts listed in the above table.
    1. To trigger the alert immediately, select Run Now and click Save.
      OR
    2. To trigger the alert at a scheduled time, select Schedule and enter/select the following details:
      • Time Zone*
      • Frequency (daily/weekly/monthly/yearly)
      • Starts On*
      • Ends
        • For ends ON, use the calendar widget to select the date on which the last expiry alert email will be sent.
        • For ends After, enter the number of Occurrences after which the expiry alert will be discontinued.
  10. Click Save.
    The alert notification trigger based on the selected notification alert and format.
    Note: For CA Certificates, the notification alert will include additional columns for Cluster Name, Namespace, and Leaf Count. These columns provide a clearer understanding of the certificates issued and their associated expiry details, making it easier to track and manage certificate statuses across clusters.