Tutorial: Monitor Certificate Expiry and Renew a Signing Certificate

A signing certificate that expires without warning can silently break build pipelines, block releases, and leave software unsigned and untrusted by end users. This tutorial walks through setting up proactive expiry alerts in Signum and then completing the full renewal workflow when the time comes, so you are never caught off guard.

Workflow:

1. Review upcoming expirations on the Dashboard.

2. Configure a multi-stage expiry alert (90, 30, and 7 days).

3. (Optional) Add a usage alert to detect if a near-expired certificate is still actively signing.

4. Generate a new CSR to renew the certificate.

5. Import the replacement certificate.

6. Verify agents pick up the new certificate automatically.

7. Disable and archive the old certificate.

Time to complete: Approximately 30 minutes

Before you begin

You need:

• A Signum Administrator account or a role with Alerts and Certificates permissions in the Admin Web Console

• An SMTP server already configured with Keyfactor Support (Required for email alerts. Contact support@keyfactor.com if this is not yet in place.)

• At least one signing certificate already imported into Signum

• Access to your CA to issue a new certificate once the CSR is generated

Part 1 - Review upcoming expirations on the Dashboard

Before configuring alerts, it is worth checking whether any certificates are already close to expiry.

1. Log in to the Signum Admin Web Console.

2. On the Dashboard, locate the Next Certificates to Expire panel. This lists certificates in order of expiration date, showing the certificate name, expiry date, and days remaining.

3. If a certificate appears here with fewer than 90 days remaining, prioritize the renewal steps in Part 3.

4. Click See All to open the full Certificates view filtered to show expiration data.

Part 2 - Configure certificate expiry alerts

Signum sends email alerts based on expiry thresholds you define. The recommended practice is to configure three thresholds (90 days, 30 days, and 7 days) so you have enough lead time to generate a CSR, get it signed by your CA, and import the new certificate without any signing gaps.

Step 1 - Open the Alerts section

1. In the Admin Web Console, navigate to Alerts in the top menu.

2. Click Add new alert. The alert creation wizard opens.

3. Select Certificate Expiration and click Next.

Step 2 - Select which certificates to monitor

4. Choose either All certificates to monitor everything in Signum, or select specific certificates or certificate groups. For most organizations, monitoring all certificates is the safest default as it ensures no certificate is overlooked as new ones are added.

5. Click Next.

Step 3 - Configure the expiry thresholds

6. In the Expiration Day Notice field, enter 90 and click Add.

7. Enter 30 and click Add.

8. Enter 7 and click Add.

You should now have three thresholds listed: 90, 30, and 7 days.

8. Enable the Receive Alerts toggle if you also want to receive a notification for any certificates that have already expired. This is useful when you first configure alerts and want to catch anything that slipped through.

Step 4 - Configure recipients and event logging

9. Enter the email addresses of everyone who should receive expiry notifications — typically the Signum admin, the security team, and any certificate owners. Enter one address per line or comma-separated.

10. Enable Store Event Log to ensure expiry alerts also appear in the Events log. This creates an audit trail independent of email delivery.

11. Click Apply to save the alert.

The alert now appears in the Alerts list. You can click it at any time to modify thresholds, add recipients, or disable it temporarily.

Part 3 - Add a usage alert for near-expired certificates (recommended)

A certificate usage alert fires every time a specific certificate is used to sign, both when signing is allowed and when it is denied. Adding a usage alert for a certificate that is close to expiry gives you visibility into how actively it is being used, which helps you prioritize and time the renewal.

1. In Alerts, click Add new alert.

2. Select Certificate Usage and click Next.

3. Select the specific certificate or certificate group you want to monitor.

4. Click Next.

5. Select Allowed to be notified of successful signings, Denied if you want to catch policy-blocked signing attempts, or both.

6. Click Next.

7. Enter the recipient email addresses and click Apply.

This alert fires on every signing event, so if a certificate is used very frequently, consider limiting recipients to avoid inbox noise. A dedicated operations mailbox or ticketing system integration works well for high-volume signing workflows.

Part 4 - Renew the certificate

When you receive a 90-day alert (or earlier, if you spotted an expiry on the Dashboard), start the renewal process. Signum's renewal workflow is non-disruptive: the old certificate stays active and available for signing until you explicitly disable it, and policies do not need to be reconfigured.

Step 1 - Generate a renewal CSR

1. In the Admin Web Console, navigate to Certificates and open the Certificate List tab.

2. Find the certificate you are renewing. Click its Actions menu (⋮) and select CSR / Renew.

This opens the same Generate CSR Wizard used for new certificates, but it reuses the existing key slot. A new private key is generated and stored on the HSM. The old key remains in place until you delete it.

3. In the wizard, verify or update the Distinguished Name fields. In most renewal scenarios these stay identical to the expiring certificate. Confirm with your CA if any fields need changing (for example, if your organization name has changed).

4. Assign the CSR to the same Certificate Group(s) as the expiring certificate. This ensures the renewed certificate will automatically inherit the same policy assignments when it is imported.

5. Click Apply. The CSR is generated and available to copy or download from the Requests tab.

Step 2 - Submit the CSR to your CA

6. Download the CSR from the Requests tab using the Actions menu (⋮) → View CSR, then copy the PEM content.

7. Submit the CSR to your CA following your organization's certificate issuance process.

   • For EJBCA: see Request a certificate from a CSR

   • For other CAs: the CSR is in standard PKCS#10 PEM format and can be submitted through any compliant CA interface

8. If your CA supports key attestation and your HSM is Fortanix or Thales DPoD, you can download a key attestation from the Requests tab (Actions → Download attestation) and include it with the CSR to prove the private key was generated inside the HSM.

Step 3 - Import the renewed certificate

Once your CA issues the new certificate:

9. In the Admin Web Console, navigate to Certificates → Requests tab.

10. Find the pending request and click Import.

11. Select the certificate file from your CA. Accepted formats are .cer, .crt, .der, and .pem.

12. The certificate is imported and immediately linked to the pending request. It appears in the Certificate List with a new expiry date.

Because the renewed certificate was generated through the Requests tab against an existing certificate group assignment, it automatically inherits those group memberships, and therefore inherits the associated policies. No policy changes are required.

Step 4 - Verify Agents pick up the new certificate

Signum Agents fetch certificates from the server on their next scheduled sync. To verify the new certificate is available without waiting:

13. On any signing machine, open a terminal as administrator.

14. Restart the Signum Agent service to force an immediate certificate refresh:

Restart-Service RTService

15. After the service restarts, confirm the new certificate appears in the Local Machine store with the updated expiry date:

Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { $_.Subject -like "*<your-cert-CN>*" } | Select-Object Subject, NotAfter, Thumbprint

You should see two entries briefly — the old certificate and the new one. Both are valid during the transition period.

16. Run a test signing operation to confirm the new certificate works:

signtool.exe sign /fd SHA256 /sm /n "<your-cert-CN>" /tr <your-tsa-url> /td SHA256 test-file.exe
signtool.exe verify /pa /v test-file.exe

Part 5 - Disable and archive the old certificate

Once you have confirmed the new certificate is working correctly and all signing pipelines are using it, disable the old certificate to prevent it from being used.

1. In the Certificate List, find the expiring certificate.

2. Click its Actions menu (⋮) and select Disable.

A disabled certificate cannot be used for signing regardless of policy. It remains visible in the certificate list for audit purposes.

Do not delete the old certificate immediately. Keeping it disabled but present allows you to verify historical signing events in the Events log and preserves the audit trail. Delete it only after you are satisfied the transition is complete and your retention policy allows it.

3. If you want to make clear in Signum's UI why the certificate is disabled, open the certificate's Detail View and add a note in the Description field — for example: Replaced by <new cert alias> on <date>. Disabled pending retention policy deletion.

Troubleshooting

I received an expiry alert but the certificate is not in the Requests tab after generating a CSR The renewal CSR appears in the Requests tab, not the Certificate List tab. Navigate to Certificates → Requests to find the pending CSR.

The renewed certificate is not appearing on signing machines after restarting RTService Check that the new certificate is Enabled in the Certificate List (disabled certificates are not distributed to agents). Also confirm it is assigned to the correct certificate group — open the certificate's Related tab and verify the expected groups and policies are shown.

Agents are signing with the old certificate even after the new one is available If your signing scripts use /sha1 <thumbprint> to specify the certificate, they will continue targeting the old thumbprint until updated. Switch to using /n "<CN>" to allow the agent to automatically use whichever certificate with that CN is newest and valid. Re-sign affected artifacts once the scripts are updated.

The SMTP server is not configured and I cannot create alerts Contact support@keyfactor.com to have your SMTP server configured. In the interim, monitor expiry manually using the Dashboard's Next Certificates to Expire panel.

Recommended alerting schedule at a glance

Next steps

• To set up usage monitoring across all certificates, see Creating a Certificate Usage Alert.

• To review the full audit trail of signing events, see Events.

• To understand how certificate groups affect policy inheritance, see Certificate Groups and Policies.