End-users not getting certificate expiry notification emails
Originally Published: 2011-01-12
Article Number
Applies To
Issue
RSA Certificate Manager's automatic certificate expiry notification feature is configured and enabled in the jurisdiction
When an administrator email address is manually added to the notifications via jurisdiction's Automatic Notification section, the administrator receives expiry notification but the end-user does not get an email
RSA Secure Logging Server logs the following entries for the expiry notification:
<LOG_ENTRY>
<LOG_NUMBER>xslog_20101118.xml:609</LOG_NUMBER>
<LOG_SOURCE><![CDATA[RSA CM 6.8 (Secure Directory)]]></LOG_SOURCE>
<EVENT_CONDITION><![CDATA[COMPLETION]]></EVENT_CONDITION>
<LOG_DATA><![CDATA[Failed to process notification entry for a certificate because the end-entity recipient list is empty.]]></LOG_DATA>
<DATE>12/09/2010</DATE>
<TIME>08:29:34</TIME>
<ID>2cf1e65ec9d2ba69b602b562bd99c5d4</ID>
<IP_ADDR>127.0.0.1</IP_ADDR>
</LOG_ENTRY>
<LOG_ENTRY>
<LOG_NUMBER>xslog_20101118.xml:610</LOG_NUMBER>
<LOG_SOURCE><![CDATA[RSA CM 6.8 (Secure Directory)]]></LOG_SOURCE>
<EVENT_CONDITION><![CDATA[COMPLETION]]></EVENT_CONDITION>
<LOG_DATA><![CDATA[Certificate expiry notification was sent to admin@rcm.acme.net subject: Certificate Expiry Notification, body: Your certificate will expire in 1 day. Administrator will contact you to get your certificates reissued., jurisdiction id: 1234abcd1234abcd1234abcd1234abcd1234abcd, certificate cn: John Doe]]></LOG_DATA>
<DATE>12/09/2010</DATE>
<TIME>08:29:34</TIME>
<ID>2cf1e65ec9d2ba69b602b562bd99c5d4</ID>
<IP_ADDR>127.0.0.1</IP_ADDR>
</LOG_ENTRY>
End-user certificates contain email address only in Subject Alternative Name (SAN) extension; email address is not part of certificate's subject DN and also not saved in the certificate object in RSA Certificate Manager database as additional information (non-DN attribute)
Cause
Resolution
1. For existing certificates that do not already contain email addresses in certificates or certificate objects, an RCM-API application can be written to extract email addresses from SAN extension of the certificates and then populate EMAIL attribute of the corresponding certificate objects in database.
2. For new certificates going forward, configure EMAIL in Certificate Attributes section of the jurisdiction and enable the flag to include it in SAN extension. Then either vettors can provide email address before issuing a certificate, or end-users can provide their email addresses while submitting a certificate request. This way all future certificates will have EMAIL attribute filled in for expiry notifications to work.
Related Articles
SSL Certificate Expiry for Dell OpenManage service in RSA enVision Number of Views When configuring Email Notification and Certificate Expiry Notification does 'All Vettors' (or the Vettor(s) selection fo… Number of Views User's KWP PSD with new certificate not getting uploaded to LDAP Number of Views How to set up warnings/notifications about license limit or user limit expiry in RSA Mobile Number of Views Supervisor does not update for new users in RSA Identity Governance & Lifecycle Number of Views
Trending Articles
Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide RSA Authentication Manager Upgrade Process RSA Authentication Manager 8.9 Release Notes (January 2026) An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide
Don't see what you're looking for?
