End-users not getting certificate expiry notification emails
Originally Published: 2011-01-12
Article Number
Applies To
Issue
RSA Certificate Manager's automatic certificate expiry notification feature is configured and enabled in the jurisdiction
When an administrator email address is manually added to the notifications via jurisdiction's Automatic Notification section, the administrator receives expiry notification but the end-user does not get an email
RSA Secure Logging Server logs the following entries for the expiry notification:
<LOG_ENTRY>
<LOG_NUMBER>xslog_20101118.xml:609</LOG_NUMBER>
<LOG_SOURCE><![CDATA[RSA CM 6.8 (Secure Directory)]]></LOG_SOURCE>
<EVENT_CONDITION><![CDATA[COMPLETION]]></EVENT_CONDITION>
<LOG_DATA><![CDATA[Failed to process notification entry for a certificate because the end-entity recipient list is empty.]]></LOG_DATA>
<DATE>12/09/2010</DATE>
<TIME>08:29:34</TIME>
<ID>2cf1e65ec9d2ba69b602b562bd99c5d4</ID>
<IP_ADDR>127.0.0.1</IP_ADDR>
</LOG_ENTRY>
<LOG_ENTRY>
<LOG_NUMBER>xslog_20101118.xml:610</LOG_NUMBER>
<LOG_SOURCE><![CDATA[RSA CM 6.8 (Secure Directory)]]></LOG_SOURCE>
<EVENT_CONDITION><![CDATA[COMPLETION]]></EVENT_CONDITION>
<LOG_DATA><![CDATA[Certificate expiry notification was sent to admin@rcm.acme.net subject: Certificate Expiry Notification, body: Your certificate will expire in 1 day. Administrator will contact you to get your certificates reissued., jurisdiction id: 1234abcd1234abcd1234abcd1234abcd1234abcd, certificate cn: John Doe]]></LOG_DATA>
<DATE>12/09/2010</DATE>
<TIME>08:29:34</TIME>
<ID>2cf1e65ec9d2ba69b602b562bd99c5d4</ID>
<IP_ADDR>127.0.0.1</IP_ADDR>
</LOG_ENTRY>
End-user certificates contain email address only in Subject Alternative Name (SAN) extension; email address is not part of certificate's subject DN and also not saved in the certificate object in RSA Certificate Manager database as additional information (non-DN attribute)
Cause
Resolution
1. For existing certificates that do not already contain email addresses in certificates or certificate objects, an RCM-API application can be written to extract email addresses from SAN extension of the certificates and then populate EMAIL attribute of the corresponding certificate objects in database.
2. For new certificates going forward, configure EMAIL in Certificate Attributes section of the jurisdiction and enable the flag to include it in SAN extension. Then either vettors can provide email address before issuing a certificate, or end-users can provide their email addresses while submitting a certificate request. This way all future certificates will have EMAIL attribute filled in for expiry notifications to work.
Related Articles
User's KWP PSD with new certificate not getting uploaded to LDAP Number of Views Via L&G 6.9.1 Aveksa Application Roles Privileges Tab for a User Number of Views User getting SOAP Login errors in application when sure about SOAP Login name and Password Number of Views aveksaServer.log is not getting updated after applying 7.5.2 patch P04 in SecurID Governance & Lifecycle Number of Views Database backups from the user interface gets stuck 'In Progress', never finish, and prevent future backups in RSA Identit… Number of Views
Trending Articles
RSA MFA Agent 2.5 for Microsoft Windows Installation and Administration Guide User Event Monitor Messages for Cloud Access Service (1501 - 20406) How to test RSA Identity Router (IDR) Secure Connector connectivity to the RSA ID Plus Cloud Access Service RSA Release Notes for RSA Authentication Manager 8.8 Troubleshooting RSA MFA Agent for Microsoft Windows
Don't see what you're looking for?
