Certificate Auto-Renewal

This section details the automated certificate renewal feature, which is essential for maintaining continuous service availability and preventing outages due to expired certificates.

Key Functionalities

Auto-Renewal Dashboard

  • Endpoint: /auto-renewal
  • Description: Provides a high-level overview of the auto-renewal system, including key statistics, a list of certificates currently eligible for renewal, and the active configuration settings.

Detailed Statistics and Health Check

  • Endpoint: /auto-renewal/statistics
  • Description: Offers in-depth statistics related to certificate auto-renewal, along with a health check of the auto-renewal service itself. It also displays a historical view of renewal activities, typically for the last 30 days, which can be used for charting and trend analysis.

Configuration Management

  • Endpoints:
    • GET /auto-renewal/configuration: Displays the current global auto-renewal configuration.
    • POST /auto-renewal/configuration: Allows administrators to update the global auto-renewal settings.
  • Configurable Parameters:
    • enabled: A boolean flag to globally enable or disable the auto-renewal process.
    • renewal_threshold_days: An integer (1-365) specifying how many days before a certificate's expiration the system should attempt to renew it.
    • max_renewal_attempts: An integer (1-10) defining the maximum number of times the system will attempt to renew a single certificate before marking it as a persistent failure.
    • notification_enabled: A boolean flag to enable or disable notifications related to auto-renewal events.
    • notification_threshold_days: An integer (1-365) specifying how many days before expiration notifications should start being sent.
    • batch_size: An integer (1-100) indicating the number of certificates to process in a single batch during a renewal run, optimizing performance for large deployments.
    • failure_notification_enabled: A boolean flag to enable or disable specific notifications for failed renewal attempts.
  • Audit Logging: Configuration updates are logged (implied by interaction with AutoRenewalService).

Eligible Certificates Listing

  • Endpoint: /auto-renewal/eligible
  • Description: Lists all certificates that are currently eligible for auto-renewal based on the configured renewal_threshold_days.
  • Urgency Categorization: Certificates are grouped and displayed by their expiration urgency:
    • critical: Expires in 7 days or less.
    • high: Expires in 8 to 30 days.
    • medium: Expires in 31 to 60 days.
    • low: Expires in more than 60 days.

Per-Certificate Auto-Renewal Control

  • Endpoint: POST /certificates/{certificate}/enable-auto-renewal
  • Endpoint: POST /certificates/{certificate}/disable-auto-renewal
  • Description: Provides granular control to enable or disable auto-renewal for individual certificates, overriding global settings if necessary.

Manual Renewal Trigger

  • Endpoint: POST /auto-renewal/trigger
  • Description: Allows administrators to manually initiate the certificate renewal process.
  • Options:
    • force_all: A boolean flag to trigger renewal for all eligible certificates.
    • certificate_ids: An optional array of specific certificate IDs to renew.
  • Outcome: Returns a summary of the manual renewal run, including the number of certificates processed, successfully renewed, and failed.

Inferred Specifications

  • Automated Background Process: The auto-renewal system operates as a scheduled background process, continuously monitoring certificate validity and initiating renewals as needed.
  • Highly Configurable Policy: Administrators have extensive control over the auto-renewal policy, allowing them to fine-tune thresholds, retry logic, and notification preferences to match organizational requirements.
  • Proactive Expiration Management: The system proactively identifies and categorizes certificates by their expiration urgency, enabling administrators to focus on critical renewals.
  • Granular Control and Overrides: While global settings provide a baseline, the ability to enable/disable auto-renewal for individual certificates offers crucial flexibility for specific use cases.
  • Manual Intervention Capability: The manual trigger for renewals provides a safety net and allows for immediate action or testing outside of the scheduled process.
  • Optimized Performance: Batch processing of certificates during renewal runs indicates an optimized approach for handling large certificate inventories efficiently.
  • Integrated Notification System: A robust notification system keeps stakeholders informed about upcoming expirations, successful renewals, and critical failures.
  • System Health Monitoring: The inclusion of a health check for the auto-renewal service ensures its operational status can be monitored.
  • Comprehensive Audit Trail: All significant auto-renewal events, including configuration changes, successful renewals, and failures, are logged for audit, compliance, and troubleshooting purposes (implied).

Vous n'avez pas envie de la manager ?

Découvrir notre offre PKI As A Service