Manage certificate expiration settings

Specifies the period of time that occurs chronologically just before the expiration day of the certificate, within which, if the ExpirationMonitor thread runs, and Automatically replace expiring self-signed and chained certificates is enabled, a new self-signed, or chained certificate is generated. By default, the replacement period for the certificate is 60 days in length or less as defined in the daysBeforeNotification property.

There is a pre-notification period where the certificate is added to the notification list but not touched for 90 days prior to the 60 days. By default, this pre-notification period is 90 days in length as defined in the com.ibm.ws.security.expirationMonitorNotificationPeriod property.

The Certificate pre-notification threshold means that you are warned when the certificate monitor is about to replace a certificate.

Set the Certificate pre-notification threshold in the box that is labeled, Certificate pre-notification threshold. The Certificate pre-notification threshold is the number of days before the start of the expiration notification threshold where the certificate monitor reports the date that a certificate can start getting replaced.

If the certificate pre-notification is set to 90 days, and the expiration notification threshold is 30 days, your certificate does not expire for another 60 days.

Specifies the certificate monitor is active and will run as scheduled.

Specifies the scheduled time that the system checks for expired certificates.

You can type the scheduled time in hours and minutes, specify either A.M. or P.M., or 24-hour.

Indicates that you want to schedule a specific day of the week on which the expiration monitor runs. For example, it might run on Sunday.

Specifies the day of the week on which the expiration monitor runs if Check on a specific day is selected.

Specifies the time between each schedule time to check for expired certificates or the interval between schedule checks.

Specifies that you want to schedule a specific number of days between each run of the expiration monitor. The day of the week on which this occurs is not counted. For example, if you set the interval to check for expired certificates every seven days, the expiration monitor runs on day eight.

Specifies the date for the next scheduled check. This allows the deployment manager to be stopped and restarted without resetting the date.

Specifies the notification type (either email, or an entry in the system log) when an expiration monitor runs.

Specifies a new self-signed certificate or chained certificate be generated by using the same certificate information if the expiration notification threshold is reached. The old certificate is replaced and uses the same alias. All old signers are managed by the key store configuration are also replaced. The system replaces only self-signed certificates.

Specifies whether to completely remove old, self-signed certificates from the key store during a replace operation or leave them there under a renamed alias. If an old certificate is not deleted, the system renames the alias so that the new certificate can use the old alias, which might be referenced elsewhere in the configuration.