Idea ID: 2828834

Notification that the CA is going to expire

Status: Under Consideration

Under Consideration

See status update history

IDM Certificate Authority had expired. This meant that any items using certificate authentication, including many of our jobs and the Remote Loaders (connections from IDM to AD, 360, and ACF2) were no longer working .

There was no notification that the CA was going to expire. It would be nice to have a notification that the CA is getting ready to expire. 



  • the CA expiration date is unfortunately not a separate attribute on the CA itself. It is available if you wish to parse out the dates from the Certificate(s) on the CA, just not exposed in a separate attribute at this time.

    The date values are exposed in separate attributes on the Certificate object and those attributes are added/updated by the PKI Health Check process.

    A quick solution might be adding the attributes "NDSPKI:Not After" and "NDSPKI:Not Before" to the CA object (class=NDSPKI:Certificate Authority), just like they are on the Certificate objects (class=NDSPKI:Key Material). The "NDSPKI:Public Key Certificate" attribute has the full Certificate including the valid dates embedded does exist on both object classes.

    There is also the NDSPKI:Public Key Certificate EC that may come in to play these days as well.

  • The CA expiration date is an attribute on the object. You can read it from an LDAP search.