#1985 [RFE] Email notify Admin prior to CA certificate expiration
Closed: duplicate 5 years ago Opened 12 years ago by admiyo.

If the CA certificate is signed by an external CA, certmonger might not be able to automatically update it. In fact, this is likely to require a financial transaction. The CA should send an email to a preconfigured account prior to expiration. If the CA cert expires, it will be very painful for an IPA based system, as all of the client machines certificates will be invalid. hey need to be notified of the new CA cert early enough to avoid triggering invalidation , and to keep their certifactes valid for the currently stated lifespan.


It would be great if dogtag would provide this capability natively.

If not I think we'll need to do this as a cron job. How we handle upgrades with this is also something that will require some thought.

IPA does not currently configure an MTA so it is unclear who this e-mail would be delivered to.

This should be handled as a part of the larger effort of IPA subsystem certificate renewal. That work is covered by the following ticket:

https://fedorahosted.org/freeipa/ticket/2803

Closing this as a duplicate.

This is not a dup. Reopening. This is for the case when we are dealing with the external cert that we can't renew. We can only warn about.

Bumping priority. There was another request (Bug 974476) for this feature.

Metadata Update from @admiyo:
- Issue assigned to rcritten
- Issue set to the milestone: Ticket Backlog

7 years ago

Notification will be handled as part of the Healthcheck tool, https://pagure.io/freeipa/issue/7391

Closing as duplicate.

Metadata Update from @rcritten:
- Issue close_status updated to: duplicate
- Issue status updated to: Closed (was: Open)

5 years ago

Login to comment on this ticket.

Metadata