000011772 - End-users not getting certificate expiry notification emails

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000011772
Applies ToRSA Certificate Manager 6.8
IssueEnd-users not getting certificate expiry notification emails
RSA Certificate Manager's automatic certificate expiry notification feature is configured and enabled in the jurisdiction
When an administrator email address is manually added to the notifications via jurisdiction's Automatic Notification section, the administrator receives expiry notification but the end-user does not get an email
RSA Secure Logging Server logs the following entries for the expiry notification:

<LOG_ENTRY>
 <LOG_NUMBER>xslog_20101118.xml:609</LOG_NUMBER>
 <LOG_SOURCE><![CDATA[RSA CM 6.8 (Secure Directory)]]></LOG_SOURCE>
 <EVENT_CONDITION><![CDATA[COMPLETION]]></EVENT_CONDITION>
 <LOG_DATA><![CDATA[Failed to process notification entry for a certificate because the end-entity recipient list is empty.]]></LOG_DATA>
 <DATE>12/09/2010</DATE>
 <TIME>08:29:34</TIME>
 <ID>2cf1e65ec9d2ba69b602b562bd99c5d4</ID>
 <IP_ADDR>127.0.0.1</IP_ADDR>
</LOG_ENTRY>
<LOG_ENTRY>
 <LOG_NUMBER>xslog_20101118.xml:610</LOG_NUMBER>
 <LOG_SOURCE><![CDATA[RSA CM 6.8 (Secure Directory)]]></LOG_SOURCE>
 <EVENT_CONDITION><![CDATA[COMPLETION]]></EVENT_CONDITION>
 <LOG_DATA><![CDATA[Certificate expiry notification was sent to admin@rcm.acme.net subject: Certificate Expiry Notification, body: Your certificate will expire in 1 day. Administrator will contact you to get your certificates reissued., jurisdiction id: 1234abcd1234abcd1234abcd1234abcd1234abcd, certificate cn: John Doe]]></LOG_DATA>
 <DATE>12/09/2010</DATE>
 <TIME>08:29:34</TIME>
 <ID>2cf1e65ec9d2ba69b602b562bd99c5d4</ID>
 <IP_ADDR>127.0.0.1</IP_ADDR>
</LOG_ENTRY>
End-user certificates contain email address only in Subject Alternative Name (SAN) extension; email address is not part of certificate's subject DN and also not saved in the certificate object in RSA Certificate Manager database as additional information (non-DN attribute)
CauseEMAIL attribute of the certificate objects in RSA Certificate Manager did not have any email address, so no emails could be sent to end-users.  Automatic certificate expiry notifications are sent to the end-users' email address stored in the corresponding certificate objects (in EMAIL attribute).  Email address added to a certificate Subject Alternative Name through extension profile does not get filled in EMAIL attribute of the certificate object in RSA Certificate Manager database.
ResolutionIn this scenario, where email address is only added to Subject Alternative Name extension through an extension profile, the following approaches can be taken so that end-users get expiry notifications:

1. For existing certificates that do not already contain email addresses in certificates or certificate objects, an RCM-API application can be written to extract email addresses from SAN extension of the certificates and then populate EMAIL attribute of the corresponding certificate objects in database.

2. For new certificates going forward, configure EMAIL in Certificate Attributes section of the jurisdiction and enable the flag to include it in SAN extension.  Then either vettors can provide email address before issuing a certificate, or end-users can provide their email addresses while submitting a certificate request.  This way all future certificates will have EMAIL attribute filled in for expiry notifications to work.
Legacy Article IDa53551

Attachments

    Outcomes