GTE CyberTrust Global Root Expiration Alert

[Support_Jake]

Overview

You may get alerts that you have an expiring Certificate Authority certificates.


Email Contents

Email Subject: [GoAnywhere Alert] Certificate Expiring

The following Certificate will expire soon in GoAnywhere:

Environment: GoAnywhere Environment name from Global Settings

System Name: Cluster Node – if applicable (Coordinator)

Key Vault: Defines which vault in Key Management System to find the certificate (e.g. System, Default)

Name: Name of the Certificate expiring

Expires On: Expiration Date


Environment
GoAnywhere MFT - all versions

Primary location for certificate storage is in Encryption > Key Management System

Less common storage would be in or Encryption > File Based Keys > Certificates


Resolution
Login to GoAnywhere and go to Encryption > Key Management System and select the gear on the Key Vault Name listed in the email alert and select Manage Certificates.

Note the Created By username and the certificate name.

Quick Answer: If Created By = System – delete the certificate as it is not a certificate you created in the system. Email alert will stop.

Full Answer: The certificates provided by GoAnywhere, compared to certificates you and/or your trading partners use, are easily identifiable. If the Created By column value is “system” rather than a username. That certificate is a system certificate, and is not being renewed, but there is only a slim chance you are using it. It is common to have certificates expire after several years and establish new root trust certificates and these expiring certificates can be deleted.

Caution: If the user in the “Created By” column is not system that indicates a user imported it for a purpose that could impact your hosting of a service or a trading partner trust. Those certificates will need additional review and may need renewed/rekeyed with your certificate authority.


Why does this happen to you?
When you install GoAnywhere, you get the latest Root certificates available from Java. We provide this service, so our customers don’t have to find and install each Root cert. The certificates provided by GoAnywhere, compared to certificates you and/or your trading partners use, are easily identifiable if the Created By column is "system" rather than a username.

These certs – which have expiration dates -- work with your (or your trading partner’s) signed certificates to build a trust chain for SSL/TLS connections. When a certificate expires or is upgraded, you can easily find, download and import the new cert into GA (see the MFT User Guide for importing).

The “Certificate Expiration” alert is controlled by system alerts to warn of upcoming certificate expirations. It is important to know when your user imported certificates expire as those could impact relationships with trading partners. The System Alert will fire daily when the certificate expiration reaches the “Certificate Expiring Within” X days date defined in the System Alert for Certificate Expirations.


Other options for alert changes:

1. Remove certificate alert checkmark (not recommended)

2. Reduce days for the alert – default is 30 days

3. Change the notification recipients in the System Alert:

A. If “Notify Key Managers “ is checked. All Admin Users in GoAnywhere with both the “Key Manager” Admin User Role and an email address defined in their admin user profile will receive the alert.

B. If “Notify Additional Email Addresses” is checked the notifications go to just the email addresses listed.

C. If both are checked it is additive and will go to both groups.