Improve Certificate Management
complete
Mike Sheldon
As an administrator I want to receive a warning when certificates are expiring.
Warn portal administrators about expiring certificate(s) per e-mail:
- The email will contain the following details:
- expiring or expired application certificate(s) and connected application(s).
- expiring or expired IDP certificate(s) and connected IDP(s).
- expiring or expired Portal certificate
- Documentation links to docs.helloid.com articles with instructions to renew the application or IDP certificates and instructions to provide Tools4ever with the new portal certificate.
- Mails will be sent in the following schedule:
- 4,2,1 week(s) before expiration
- 6,5,4,3,2,1 day(s) before expiration
- On expiration
- After expiration
R
Rick van den Dijssel
complete
R
Rick van den Dijssel
planned
R
Rick van den Dijssel
under review
W
Wim Bronswijk
Changed the post to new proposal for admin notifications of expiring certificates. Old entry:
The following would be helpful in managing certificates for an instance
- Show decoded certification information when you edit/view a certificate
- Show what applications are using the certificate
- Notify the administrator when a certificate is about to expire or is expired.
Mike Sheldon
Wim Bronswijk: Seems this proposal has been modified to just notifications. Can we make sure that the item about view certificates in the admin portal are not forgotten as well, perhaps at least with another proposal
W
Wim Bronswijk
Mike Sheldon: Ofcourse, the notifications should solve the biggest issue. So administrators are getting notified about expiring certificates. After this we can always look to the other options.
R
Rick van den Dijssel
Merged in a post:
SSL Certification expiration notification
W
Wim Bronswijk
As an administrator I want to be warned about expiring certificates.
To prevent problems with IDP or SP configuration it would be helpful to notify administrators about expiring certificates by E-Mail and/or on the admin dashboard.
R
Rick van den Dijssel
Thinking about using https://letsencrypt.org/ as a solution to this problem. Do you think this is a good idea? This allows us to regenerate/extend the SSL certificate without a hassle or any manual actions.
Mike Sheldon
Rick van den Dijssel: Let's Encrypt is a good solution, but the problem you are going to quick run into is that SP's don't always use the metadata link to pull the current certificate for SAML. So when it comes to signing validation you may run into issues. With Let's Encrypt the certificate is regenerated with smaller windows which cases the certificate to change.
S
Steve MIller
Certificate expiration notifications are very important, as an expired cert can cause a service disruption for thousands of users unexpectedly.