Manage expiring certificates

The use of certificates to ensure the security of your document exchanges is an option that is highly recommended. When sending a message, Interchange uses the partner's public key (included in a certificate file) to encrypt the message. If the certificate is expired, Interchange does not encrypt or send the message. Likewise, an inbound encrypted message cannot be deciphered with an expired certificate. It is important to make sure the certificates associated with communities and partners are current and have not passed their expiration dates.

View expiration dates

Expiration dates for certificates are displayed in the user interface. For a community, click Certificates in the navigation graphic at the top of a community summary page to display a list of the community’s certificates. The list includes the expiration dates of all certificates. For a partner, you can view the same type of information by clicking Certificates at the top of a partner summary page.

Interchange checks

Interchange server checks at least once a day for certificates that are close to their expiration dates. A check is performed after the server is started. Thereafter, Interchange performs a daily check. The time the check is performed depends on the value of the Interval element in the alerts.xml file, which is at < install directory>\conf. If the interval is less than or equal to 60 minutes, the check is performed between midnight and 1:00 a.m., server time. If the interval is much less than 60 minutes, the check may be performed twice or more before 1:00 a.m. If the interval is greater than 60 minutes, the check is performed at the time past midnight equal to the interval length. For example, if the interval is 90 minutes, the check is performed at 1:30 a.m.

Interchange posts a message on the user interface home page 14 days before a community or partner certificate expires. It also displays an alert message on the Tasks and Alerts toolbar menu. If your license allows users to have certificates (for example, CSOS functionality), Interchange also generates messages about user certificates that are about to expire.

Expiring certificates

If there are outstanding alerts for a certificate about to expire, Interchange continues generating alerts at the interval specified in the alerts.xml file, regardless of time of day, until the certificate is replaced.

The messages about expiring certificates remain until the certificates are deleted. The messages give you time to replace certificates before they expire. We recommend replacing certificates before, rather than after, expiration so that trading is not disrupted. Regardless, expired certificates must be replaced. Expired certificates cannot be used for encryption, decryption or signing.

Certificate replacement and archiving

Do the following when a certificate is about to expire. The advice about archiving expired certificates is recommended, but not required.

  1. If a partner's certificate is about to expire, notify the partner and ask for a replacement.
  2. In <install directory>\common create a subdirectory named certarchive. Create subdirectories of certarchive named community and partner.
  3. On the home page, click the message about an expiring certificate to open the certificate's maintenance page.
  4. Click Export this certificate.
  5. If a community or user certificate, select the option to export the private key to a .p12 file. Save the file in <install directory>\common\certarchive\community.
  6. If a partner certificate, select the option to export the public key to a .p7b file. Select Include all certificates in the certificate path if possible. Save the file in <install directory>\common\certarchive\partner.
  7. Obtain a replacement certificate.
  8. If a community certificate, create a self-signed certificate or obtain a CA certificate. See Set up certificates for a community.
  9. If a user certificate, see Axway CSOS.
  10. If a partner certificate, import the replacement certificate the partner sends you. See Import certificates for partners.
  11. Delete the old certificate. On the community or partner summary page, click Certificates on the navigation graphic at the top of the page, select the certificate and click Delete this certificate. If a user certificate, open the user maintenance page certificates tab, select the certificate and click Delete this certificate.

Related topics

Related Links