End-users not getting certificate expiry notification emails
Originally Published: 2011-01-12
Article Number
Applies To
Issue
RSA Certificate Manager's automatic certificate expiry notification feature is configured and enabled in the jurisdiction
When an administrator email address is manually added to the notifications via jurisdiction's Automatic Notification section, the administrator receives expiry notification but the end-user does not get an email
RSA Secure Logging Server logs the following entries for the expiry notification:
<LOG_ENTRY>
<LOG_NUMBER>xslog_20101118.xml:609</LOG_NUMBER>
<LOG_SOURCE><![CDATA[RSA CM 6.8 (Secure Directory)]]></LOG_SOURCE>
<EVENT_CONDITION><![CDATA[COMPLETION]]></EVENT_CONDITION>
<LOG_DATA><![CDATA[Failed to process notification entry for a certificate because the end-entity recipient list is empty.]]></LOG_DATA>
<DATE>12/09/2010</DATE>
<TIME>08:29:34</TIME>
<ID>2cf1e65ec9d2ba69b602b562bd99c5d4</ID>
<IP_ADDR>127.0.0.1</IP_ADDR>
</LOG_ENTRY>
<LOG_ENTRY>
<LOG_NUMBER>xslog_20101118.xml:610</LOG_NUMBER>
<LOG_SOURCE><![CDATA[RSA CM 6.8 (Secure Directory)]]></LOG_SOURCE>
<EVENT_CONDITION><![CDATA[COMPLETION]]></EVENT_CONDITION>
<LOG_DATA><![CDATA[Certificate expiry notification was sent to admin@rcm.acme.net subject: Certificate Expiry Notification, body: Your certificate will expire in 1 day. Administrator will contact you to get your certificates reissued., jurisdiction id: 1234abcd1234abcd1234abcd1234abcd1234abcd, certificate cn: John Doe]]></LOG_DATA>
<DATE>12/09/2010</DATE>
<TIME>08:29:34</TIME>
<ID>2cf1e65ec9d2ba69b602b562bd99c5d4</ID>
<IP_ADDR>127.0.0.1</IP_ADDR>
</LOG_ENTRY>
End-user certificates contain email address only in Subject Alternative Name (SAN) extension; email address is not part of certificate's subject DN and also not saved in the certificate object in RSA Certificate Manager database as additional information (non-DN attribute)
Cause
Resolution
1. For existing certificates that do not already contain email addresses in certificates or certificate objects, an RCM-API application can be written to extract email addresses from SAN extension of the certificates and then populate EMAIL attribute of the corresponding certificate objects in database.
2. For new certificates going forward, configure EMAIL in Certificate Attributes section of the jurisdiction and enable the flag to include it in SAN extension. Then either vettors can provide email address before issuing a certificate, or end-users can provide their email addresses while submitting a certificate request. This way all future certificates will have EMAIL attribute filled in for expiry notifications to work.
Related Articles
Via L&G 6.9.1 Aveksa Application Roles Privileges Tab for a User Number of Views User's KWP PSD with new certificate not getting uploaded to LDAP Number of Views When configuring Email Notification and Certificate Expiry Notification does 'All Vettors' (or the Vettor(s) selection fo… Number of Views Supervisor does not update for new users in RSA Identity Governance & Lifecycle Number of Views aveksaServer.log is not getting updated after applying 7.5.2 patch P04 in SecurID Governance & Lifecycle Number of Views
Trending Articles
Troubleshooting RSA SecurID Access Identity Router to RSA Authentication Manager test connection failures RSA SecurID Software Token 5.0.2 Downloads for Microsoft Windows RSA Authentication Manager 8.9 Release Notes (January 2026) Quick Setup Guide - Passwordless Authentication in Windows MFA Agent for Active Directory RSA Authentication Manager 8.8 Setup and Configuration Guide
Don't see what you're looking for?
