Feature #7332

Provide certificate expiry warning

Added by Michael Newton over 3 years ago. Updated 5 months ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:


Just logged into one of my HP MSM controllers and was warned about certificates that are about to expire. This would be a nice feature for pfSense, if a certificate is in use and going to expire in the next 30 days.

Screenshot 2017-02-28 14.11.09.png (60.8 KB) Screenshot 2017-02-28 14.11.09.png How HP does it Michael Newton, 02/28/2017 04:15 PM

Associated revisions

Revision 93f1121f (diff)
Added by Jim Pingle about 1 year ago

Add certificate lifetime to infoblock. Issue #7332

  • Adds the total lifetime and lifetime remaining before expiration to
    the info block
  • Adds a visual indication to the infoblock and end date when the
    certificate will be expiring soon, or if it has already expired.

Revision 38e7b336 (diff)
Added by Jim Pingle about 1 year ago

Add settings to control certificate expiration notifications. Issue #7332

Note that the notices themselves do not yet exist. Those are still a
work in progress.

Revision 4bbdd9b0 (diff)
Added by Jim Pingle about 1 year ago

Add periodic framework to allow for daily/weekly/monthly tasks. Issue #7332

Revision b5d2d8d8 (diff)
Added by Jim Pingle about 1 year ago

Add daily certificate expiration notice. Issue #7332

Revision e78fe74d (diff)
Added by Jim Pingle almost 1 year ago

Make value of cert notify setting consistent with others. Issue #7332


#1 Updated by Jim Pingle about 1 year ago

See also: #9703

#2 Updated by DRago_Angel [InV@DER] about 1 year ago

It would be great if Certificate Manager will support expiration notification option for each existing certificate in storage and use existing /system_advanced_notifications.php to send alert to Administrator.
For example:
global configuration: notify if certificate will expire in less then X days
per certificate expiration notification option:

enabled\disable notifications
overwrite global configuration: notify if certificate will expire in less then X days

#3 Updated by Jim Pingle about 1 year ago

  • Status changed from New to In Progress
  • Assignee set to Jim Pingle
  • Target version set to 2.5.0

I do not think there will be a per-certificate setting for this (at least for now), but for starters I have added a visual indication of the expiration status to the GUI. Notifications will follow.

#4 Updated by Jim Pingle about 1 year ago

  • Status changed from In Progress to Feedback

This is now implemented.

There is a GUI setting to enable/disable the expiration notifications, and they are on by default.
There is a GUI setting to configure the expiration threshold, the default is 30 days.

It will check once per day, and if any certificates are expiring soon (or have already expired), it will trigger a notification in the log, GUI, and e-mail (if enabled).

#5 Updated by Jim Pingle 10 months ago

  • Status changed from Feedback to Resolved

This has been working well for a while now. I've made a few short-lived certs and watched them trigger the notifcations naturally after a couple days. No real downsides that I can tell, other than it being a tad annoying by notifying every day until you fix it. But seeing as that's the point, and someone can turn it off if they don't want it, I'd say it is operating as intended.

#6 Updated by DRago_Angel [InV@DER] 9 months ago

Ho, cool =D Thank you. Waiting 2.5 stable!

#7 Updated by Ian Collins 5 months ago

Hi - What version is this implemented in?
I've got a 2.4.4-RELEASE-p3 and a 2.5.1 pfsense - and I can't see any highlighting in the cert manager and don't get any emails about expiring certificates (tested email and its working).


#8 Updated by Jim Pingle 5 months ago

It's in 2.5.0 snapshots which are still in development. There has not been a 2.5.0 release yet.

There is no 2.5.1, not sure where you saw that. Maybe you meant 2.4.5-p1? This change is not in 2.4.x.

Also available in: Atom PDF