Alerting and Notification Issues

The Alerting and Notification Issues section addresses problems where expiry alerts, policy violation alerts, or other lifecycle notifications are not being generated, delivered, or displayed as expected. Since alerts are critical for preventing outages and compliance failures, timely resolution ensures proactive certificate management.

CERTInext provides configurable alert rules, notification channels, and reporting visibility to support real-time monitoring.

Common Symptoms

Alert-related issues may appear as:

• Expiry alerts not received before certificate expiration

• Policy violation alerts not triggered

• Notifications sent to incorrect recipients

• Email delivery failures

• Alerts visible in dashboard but no email received

• Duplicate or excessive alerts

Step 1: Verify Alert Configuration

Navigate to the relevant alert configuration section:

• Expiry Alerts

• Policy Violation Alerts

• Notification Channels

Confirm:

• Alert rule is enabled

• Threshold values are correctly defined (e.g., 30 days before expiry)

• Domains or groups are correctly mapped

• Policy rules are active

Incorrect thresholds or disabled rules are common causes.

Step 2: Check Certificate Scope

Ensure the affected certificate:

• Is within the configured alert scope

• Is not marked as ignored

• Is properly linked to a group

• Has valid expiration metadata

Certificates excluded from scope will not trigger alerts.

Step 3: Validate Notification Channels

Navigate to Notification Channels configuration and verify:

• Email addresses are correct

• Distribution lists are active

• Channel status is enabled

• No typo in recipient entries

If using multiple channels, confirm all required recipients are mapped correctly.

Step 4: Confirm Email Delivery

If alerts are generated but not received:

• Check spam or junk folders

• Verify domain allowlisting

• Confirm SMTP or mail relay configuration

• Ensure sender domain is not blocked by security controls

Coordinate with the email security team if necessary.

Step 5: Review Dashboard Metrics

Navigate to monitoring dashboards and verify:

• Expiring certificates count

• Policy violation metrics

• Alert history logs

If dashboard shows zero results, verify discovery and provisioning data is up to date.

Step 6: Validate Policy Configuration

For policy violation alerts:

Confirm:

• Weak key detection rules are enabled

• Unsupported protocol checks are active

• Non-approved CA detection is configured

• Trust chain validation rules are active

Policy rules must be enabled to trigger alerts.

Step 7: Check Group-Level Configuration

If alerts are group-specific:

• Verify correct group assignment

• Confirm users are mapped to the group

• Ensure renewal notification emails are defined at group level

Misconfigured group ownership can block alert delivery.

Step 8: Review Alert Timing

Some alerts trigger based on schedule:

• Confirm time zone settings (UTC)

• Validate renewal window configuration

• Ensure bots are active during evaluation window

Inactive bots may delay alert evaluation.

Step 9: Re-test Alert

After correcting configuration:

• Trigger a manual evaluation (if available)

• Adjust threshold temporarily to simulate alert

• Monitor dashboard for updated metrics

When to Escalate

Provide:

• Certificate CN / SAN

• Alert type (Expiry / Policy Violation)

• Expected threshold

• Notification recipient list

• Screenshot of alert configuration

• Timestamp when alert was expected

This helps isolate configuration versus delivery issues.

Best Practices

• Use multiple recipients for critical alerts

• Configure 30–45 day expiry thresholds

• Regularly review alert rules

• Monitor dashboard KPIs weekly

• Keep notification distribution lists updated