Configure certificate expiration monitoring
When certificates expire, they can no longer be used by the system. WebSphere Application Server provides a utility to monitor certificates that are close to expiration or have already expired. We can schedule certificate monitoring, or we can request certificate monitoring on demand. We can also configure options for deleting expired certificates and for recreating certificates.
Important: The Certificate Expiration Monitor does not handle replacing client self-signed certificates and is not capable of sending the new signer certificate needed for trust. If the client is a web server plug-in, it will not be able to securely communicate with the application server after self-signed certificate replacement. WebSphere Application Server notifies you when a certificate is about to expire. Complete the information required for notification messaging in Notifications.
Complete the following configuration steps in the console:
- Click Security > SSL certificate and key management > Manage certificate expiration.
- Type a number for the number of days threshold in the Expiration notification threshold field. WebSphere Application Server issues an expiration warning n number of days before expiration.
- Select or check one or more of the following options:
- Expiration check notification. Select the method from the list to use to receive the notification.
- Automatically replace expiring self-signed certificates. If we do not want to recreate the self-signed certificate, clear the check box. : When using writable System Authorization Facility (SAF) keyrings in the configuration, the certificate expiration monitor does not replace expired certificates in the writable SAF keyrings, but only provides a notification of the expiration.
- Delete expiring certificates and signers after replacement. If we do not want to delete the expired certificates and signers, clear the check box.
- Enable checking. If we do not want to have certificate monitoring enabled, clear the check box.
- Enter the time of day when we want certificate monitoring to take place to schedule the running of the certificate expiration monitor.
- Select one of the following options:
- Check by calendar. For Weekday, enter the day of week to run the certificate expiration monitor. For Repeat Interval, specify the frequency to run the certificate monitor.
- Check by number of days. Enter a number for how frequently the monitor runs, in number of days.
- Type the number of days before the threshold date in which the certificate monitor warns that a certificate is about to be replaced. When a certificate is within the expiration threshold, and automatic replacement is enabled, certificates are replaced. Specifies the time period before the threshold when warnings are issued by the certificate monitor concerning upcoming replacement dates.
- Click Apply.
Results
After completing the settings, a certificate expiration monitor object and a schedule are set up in the configuration. The certificate expiration monitor runs according to the configurations options configuredd.
What to do next
We can generate reports that state which certificates have expired. The reports identify the notifications of certificate replacements and deletions. The report is sent according to the notification option that specified.
Subtopics
- Manage certificate expiration settings
Use this page to configure the certificate expiration monitor.
- Notifications
Use this page to specify the generic notification definitions used in certificate expiration monitors.
- Notifications settings
Use this page to set properties for new notifications used in certificate expiration monitors or for security audit subsystem failures.
Related concepts
Certificate management in SSL
Related tasks
(zos) Enable writable SAF keyrings