Manage expiring certificates

Axway highly recommends the use of certificates to ensure the security of your document exchanges. When sending a message, Activator uses the partner’s public key (included in a certificate file) to encrypt the message. If the certificate is expired, Activator does not encrypt or send the message. Likewise, an inbound encrypted message cannot be deciphered with an expired certificate. It is important to make sure the certificates associated with communities and partners are current and have not passed their expiration dates.

View expiration dates

Expiration dates for certificates are displayed in the user interface. For a community, click Certificates in the navigation graphic at the top of a community summary page to display a list of the community’s certificates. The list includes the expiration dates of all certificates. For a partner, you can view the same type of information by clicking Certificates at the top of a partner summary page.

Certificate validity checks

Activator checks at least once a day for certificates that are close to their expiration dates. A check is performed after the server is started. Thereafter, Activator performs a daily check. The time the check is performed depends on the value of the Interval element in the alerts.xml file, which is located at <Activator_install_directory>\Activator\conf. If the interval is less than or equal to 60 minutes, the check is performed between midnight and 1 a.m., server time. If the interval is much less than 60, the check may be performed twice or more before 1 a.m. If the interval is greater than 60, the check is performed at the time past midnight equal to the interval length. For example, if the interval is 90 minutes, the check is performed at 1:30 a.m.

Activator posts a message on the user interface home page 14 days before a community or partner certificate expires. It also displays an alert message on the Tasks and Alerts toolbar menu. If your license allows users to have certificates, Activator also generates messages about user certificates that are about to expire.

Expiring certificates

If there are outstanding alerts for a certificate about to expire, Activator continues generating alerts at the interval specified in the alerts.xml file, regardless of time of day, until the certificate is replaced.

The messages about expiring certificates remain until the certificates are deleted.

The messages give you time to replace certificates before they expire. We recommend replacing certificates before rather than after expiration so trading is not disrupted. Regardless, expired certificates must be replaced. They cannot be used for encryption, decryption or signing.

Replace and archive certificates

Use the following procedure when a certificate is about to expire. Archiving of expired certificates is recommended, but not required.

  1. If a partner’s certificate is about to expire, notify the partner and ask for a replacement.
  2. In <Activator_common_directory>\common create a subdirectory named certarchive. Create subdirectories of certarchive named community and partner.
  3. On the Activator UI home page click the message about an expiring certificate to open the certificate’s maintenance page.
  4. Click Export this certificate.
  5. If it is a community or user certificate, select the option to export the private key to a .p12 file. Save the file in <Activator_common_directory>\common\certarchive\community.
  6. If it is a partner certificate, select the option to export the public key to a .p7b file. Select Include all certificates in the certificate path if possible. Save the file in <Activator_shared_directory>\common\certarchive\partner.
  7. Obtain a replacement certificate.
  8. If a community certificate, create a self-signed certificate or obtain a CA certificate. See Set up certificates for a community.
  9. If a partner certificate, import the replacement certificate the partner sends you. See Import certificates for partners.
  10. Delete the old certificate. On the community or partner summary page, click Certificates on the navigation graphic at the top of the page, select the certificate and click Delete this certificate. If a user certificate, open the user maintenance page certificates tab, select the certificate and click Delete this certificate.

Related Links