>
    Strata Copilot
    Set Up Certificate Expiration Notifications
    Focus
    Focus
    1. Home
    2. Next‑Gen Trust Security
    3. Next-Gen Trust Security
    4. Next-Gen Trust Security Overview
    5. Overview: Certificate Issuance
    6. Adding a Certificate Authority
    7. Set Up Certificate Expiration Notifications
    Next‑Gen Trust Security

    Set Up Certificate Expiration Notifications

    Table of Contents

    Set Up Certificate Expiration Notifications

    Introduction

    Staying aware of expiring certificates is critical to protect machine identities and reduce the likelihood of certificate-related outages. Next-Gen Trust Security can send certificate expiration notifications to keep you aware of what certificates are approaching expiration.
    All certificate expiration notifications rely on the certificate monitoring service, regardless of the delivery channel. Any changes to this configuration apply to all delivery channels.
    Configuring and enabling the service is the first step in setting up certificate expiration notifications. Once it's set up, you can use the Notification Rules to configure email notifications or use our API to configure webhook notifications.

    Step 1: Enable and configure the certificate monitoring service

    The first step in setting up certificate expiration notifications is to configure and enable the certificate monitoring service.
    1. Sign in to Next-Gen Trust Security.
    2. Click Configuration > Certificate Lifecycle.
    3. Click Certificate Expiration Notification Policy.
      Note:
      If your organization previously configured the certificate monitoring service, make sure your policy settings include all three notification thresholds.
      If you have an existing configuration for the policy that monitors specific applications and have a notification configured, then make sure you have new notifications that match the criteria, otherwise you might stop receiving expected notifications.
      Ideally, you should monitor all applications in the policy, and use filters on the notifications to remove any unneeded applications.
      Next, you can proceed to set up email notifications or webhooks.
    4. Set the Certificate Inventory Monitoring settings according to the following guidelines.
      Important
      The settings in this section apply to all monitored applications regardless the notifications method.
      FieldDescription
      Certificate Inventory MonitoringTurn on Certificate Inventory Monitoring. When this setting is off, Next-Gen Trust Security doesn't send any notifications.
      Certificate expiration thresholdsNext-Gen Trust Security provides three Notification rule thresholds. Each threshold specifies the number of days before a certificate expires that a notification is sent. You must configure all three thresholds. For each threshold, specify how many days in advance of a certificate’s expiration Next-Gen Trust Security should send the notification. Each day at a set time, the system checks the certificate inventory. If a certificate’s expiration date matches a threshold and a notification hasn’t already been sent for that threshold, the system sends a notification.
    Once you've turned on and configured certificate monitoring, the next step is turning on and configuring email notifications, as outlined in the steps below. If you are continuing on from this section, you don't need to do the first two steps in the next section.

    © 2026 Palo Alto Networks, Inc. All rights reserved.