12. Alerts & Notifications

Reliable alerts are the final safety net of TLS certificate lifecycle management. CertKit provides customizable, automated email notifications to ensure your infrastructure teams are always aware of certificate renewals, endpoint health issues, and potential downtime threats.

Notification Types

CertKit supports three primary categories of email notifications, tailored to different operational needs:

1. Expiry Alerts (Immediate)

These are critical, high-priority alerts sent when an endpoint served certificate or a CertKit certificate intent is nearing expiration:

• Monitored Domains: Sent if an endpoint’s served certificate is close to expiry or has diverged from its expected CertKit-issued counterpart.
• Issuance Failures: Sent if an automated background ACME renewal fails preflight DNS checks or gets rejected by the CA.

2. Issuance Notifications (Real-time)

Sent immediately after the CertKit successfully issues or renews a certificate. This provides immediate confirmation that the ACME flow completed and that the new material has been saved to your secure S3-compatible storage or on-premise Keystore.

3. Weekly Summary Digest

A consolidated, glanceable weekly status report summarizing:

• The overall health of all Certificate Collections you have permission to view.
• Rolled-up status metrics for certificates, monitored domains, and active agents.
• Flagged items requiring administrator attention (e.g., offline agents or pending validations).

Expiry Alert Thresholds

To prevent inbox clutter and ensure alerts remain actionable, CertKit adjusts alert timing proportionally based on the lifetime of the certificate:

• 90-Day Certificates (Standard): Initial alert triggers at 25 days before expiration. Subsequent reminders are sent periodically (e.g., at 15, 7, and 3 days remaining) if the certificate remains un-deployed.
• Short-Lived & Future-Proofed Certificates (45-day & 6-day): Because these rotate frequently under tight automated schedules, alerts are scaled down to trigger much closer to expiration to avoid spamming team mailboxes.

Routing and Scoping

Alert routing is intrinsically bound to CertKit’s Collection-scoped security architecture:

• No Cross-Noise: Email notifications are only routed to users who have explicit permission to access that specific Certificate Collection.
• Team Alignment: If the database team only has access to the “DB Clusters” Collection and the web team only has access to the “Marketing Frontend” Collection, they will only receive alerts relevant to their respective environments.

Certificate-Specific Additional Contacts

There are scenarios where external stakeholders, third-party clients, application owners, or specific security mailing lists need to receive alerts for a single certificate but should not have user access to the entire CertKit Collection. To handle this, CertKit supports Additional Contacts configured on a per-certificate basis.

• Targeted Scope: Additional contacts only receive alerts (such as expiry warnings and ACME issuance failures) related to the specific certificate they are assigned to. They have no visibility into other certificates, agents, or Collections, preserving tight data isolation.
• Easy Configuration: Account administrators can manage these contacts directly on the Certificate Detail Page under the Additional Contacts panel:
  1. Provide the contact’s Name and Email address.
  2. Click Add Contact.

Managing Your Preferences

Each user can customize their personal notification settings directly from their user profile:

1. Click on your profile avatar or navigate to Settings › My Profile.
2. Under the Email Preferences section, toggle any of the following options:
   • Weekly Summary Email: Opt-in/out of the weekly digest.
   • Expiry Alerts: Toggle immediate warnings for expiring domains and certs.
   • Certificate Issued Notifications: Toggle real-time confirmations of successful renewals.
3. Click Save Preferences to apply changes.