We are trying to configure Certificate Expiration Alert. ASM can only check if the certificate is invalid.

Our requirement is to alert 1 week before Certificate Expiry.  How can we achieve this using ASM?

ASM 10.x

NA

This check is special in a way that it's not done by the monitoring stations but rather by the core servers which is why the services need to be publicly available as our core servers need to be able to access the service to download the certificate to be able to check it.

With 10.3 we removed the 30 days certificate expiration notice as many sites using Let's Encrypt service were getting the 30-day notification. Let's Encrypt works in a way that it renews certificates automatically if the days remaining to expiry are less than 30. So the 30 days notification was usually sent, triggering false alarms. We changed the check periods to 21, 14, 7, 3, 2, 1 days instead.

Users cannot manually configure the certificate expiry notices in ASM.  Currently there is no plan to change this in a future release.