Expired SAML Certificate Email Alerts are received
search cancel

Expired SAML Certificate Email Alerts are received

book

Article ID: 376068

calendar_today

Updated On:

Products

VMware Cloud Director

Issue/Introduction

  • Expired certificate email alerts are received by VMware Cloud Director (VCD) tenant users as the one reported below:

    The signing federation certificate expiration for organization System at Organization_Name is mm/dd/yyyy TIM. An expired certificate may disable federation with the identity provider setup with your organization. The certificate can be regenerated from the SAML Configuration page.

  • When removing an un-assigned SAML certificate, you receive the error:

The VMware Cloud Director entity com.vmware.vcloud.entity.org:<ORG_ID> does not exist.

  • You observed a message similar to the following stating:

    "Your certificate library item SAML Encryption-yyyy-mm-dd-hh-mm-ss (id: ####.####.#####.###, description: SAML encryption certificate and key) expired X day(s) ago".

Environment

VMware Cloud Director 10.6.x

Cause

In Cloud Director 10.6, users will receive an email if there is an expired SAML SSL certificate stored in the Administration > Certificate Management > Certificate Library for the Tenant.

When Cloud Director generates a new SAML certificate it does not remove the old pair, which may also cause issues at the Provider level should the associated Organization/Tenant be removed. Organizations that are not configured to use SAML will still have a SAML certificate, which can be regenerated without activating SAML for the organization.

Resolution

To resolve this issue:

  1. In the Provider UI select the Organization which has the expired SAML certificate and click the link to open the tenant UI.
  2. In the Tenant UI for the Organization, navigate to the 'Administration -> Certificates Library'.
  3. From the Certificate Library locate the expired Certificate (it should have a value of '0' for Consumers) and remove it.

The ID value from the email relates to the certificate ID within the certificate library. To identify the name of the tenant associated to that ID you can query the certificateLibraryItem consumers API like this example:

GET /cloudapi/1.0.0/ssl/certificateLibrary/urn:vcloud:certificateLibraryItem:<id_value_from_email>/consumers

Note: If Consumers shows a value of '1' for the expired certificate, you should renew the certificate firstly.  Use the Cloud Director API POST /admin/org/{id}/settings/federation/action/regenerateFederationCertificate to regenerate a federation certificate for the Tenant. Details of this API method are available in the VMware Cloud Director API documentation.

There are some instances where depending on email settings, a System Admin may receive an email for a Tenant's expired Certificates, as of 10.6 GA, the Tenant Reference is not in the email making it impossible to scale the above.

  1. Access the Cloud Director database.

db

  1. Identify the Organizations where invalid SAML Certs exist:

select name,display_name from organization where org_id in (select org_id from certificate_library_item where alias like '%SAML%' and id not in (select cert_library_item_id from certificate_library_item_consumer));

Those certificates can then be cleared via the UI.

Additional Information

There were improvements in VMware Cloud Director 10.6.1 to reduce the number of notifications caused by unused expired certificates and to provide details regarding the organization experiencing the issue, as noted in the following:

VMware Cloud Director 10.6.1 Release Notes - Resolved Issues

The organization name is not mentioned in the certificate expiration notification email

If the same email is configured for multiple tenant administrators, it is difficult to figure out which tenant the notification is for because the email does not contain the organization name. Also, VMware Cloud Director notifies the administrators for expired certificates even if there are no consumers. The notifications are sent once in a day and cause too many unnecessary emails.

 

If you encounter issues removing the Certificate via the UI, contact technical support and note this Knowledge Article ID (376536) in the problem description. For more information, see How to Submit a Support Request

In instances where you have removed the certificate from the UI but you still receive emails, see Email notification for not existing expired certificates in certificate library

Powered by Wolken Software