Ready to post? 
First, try searching for your answer.
Currently our certificate expires in around 3 months time. Is there some way we can get an alert or notification before the certificate expires so we can renew it before it stops working?
Welcome to the Auth0 Community !
The SSO connections that can trigger certificate expiration are:
- SAML
- AD
- ADFS
If you are using one of these connections then tenant admins will receive an email notification 30 days before the expiration of the certificate.
Otherwise if you are referring to Signing Certificates used to sign tokens within Auth0, you can check out our Rotate Signing Keys documentation.
Hope this helps, and if you have further questions please let me know.
Thanks,
Remus
1 Like
Hi @remus.ivan ,
Thank you so much for responding.
We are using auth0 for our OIDC based SSO implementation. As a part of this we have a 2 step communication with auth0.
Step 1, we send the client id, and secret via http get, to get a code and in Step 2 we send the code via http post to get an id_token which contains the claims.
The certificates I am referring to are required to be installed in our JVM trust store, without which the Step 2 mentioned above, code-token exchange through the http post fails to occur. Is this the same part you are referring to in your email?
Also is there a way for us to find out who our tenant admin is?
Thanks,
Rajeev Sharma
Thanks for clarifying your use case!
What i was referring to in the above statement is related to the Auth0 issued tokens, but since you are using an OIDC enterprise connection with manually importing the certificates, those will have to be indeed updated before expiration.
Unfortunately there isn’t a way of getting a direct email about this expiration timeframe, since most IDPs provide a JWKS endpoint that can be used in order to automatically renew the certificates, which would be the recommended way of approaching this instead of manually importing them.
When it comes to Auth0 issued tokens, you can check out the JWKS documentation.
Also, the tenant admins can be checked out from the Auth0 Dashboard - Settings - Tenant Members.
Thanks,
Remus
Hi Remus,
Thanks again, but I think I wasn’t able to explain my situation clearly. Let me try a different way:
I download this certificate chain using openssl to connect to my-domain-dot-auth0-dot-com port 443, saving the downloaded certificates in a crt file, and manually importing them in my keystore using keytool.
The certificate chain I have to import has the following 3 certificates:
- Issued to us-dot-auth0-dot-com issued by E6
- Issued to E6 issued by ISRG Root X1
- Issued to ISRG Root X1 issued by ISRG Root X1
Out of these three certificates, the first one issued to us-dot-auth0-dot-com cert has an expiry of 06/20,
As I understand, this certificate chain is something that comes from auth0.
Please let me know if my understanding is incorrect.
Thanks,
Rajeev
Thanks for clarifying this again ! It is clear now that we are referring to TLS/SSL Certificates, which are indeed provided by Auth0, more specifically coming from Lets Encrypt.
This certificates are automatically rotated within Auth0, so even though the “us-dot-auth0-dot-com” has an expiration time set, given that most platforms trust the ISRG Root X1 already, no changes should be needed unless Automatic Root Certificate Updates have been disabled.
You can check out the Chains of Trust from Lest Encrypt.
Hope this clarifies the situation!
Thanks,
Remus