WAF SaaS Certificate Expiration

Certificate Expiration Notifications

CloudGuard WAF now provides daily notifications and email alerts for certificates that are about to expire or have already expired. These notifications help ensure your application traffic is not disrupted due to expired SSL/TLS certificates.

In-Portal Notifications

You’ll see certificate expiration alerts directly in the WAF portal:

  • Yellow Warning Notification – Appears when one or more certificates will expire within the next 14 days.

    • Displays up to two affected domains and indicates how many additional domains are impacted (e.g., “+3 more”).

    • The notification shows the minimum number of days left until expiration among all affected certificates.

  • Red Critical Notification – Appears when one or more certificates have already expired.

    • Displays up to two expired domains and indicates how many more are affected.

Email Alerts

In addition to UI notifications, CloudGuard WAF sends daily email alerts listing all affected domains:

  • Each email includes the domain names and their exact expiration dates.

  • Emails are sent once per day until the certificates are renewed.

When Notifications Are Triggered

Notifications and emails are sent in the following cases:

  1. Customer-Uploaded Certificates — The certificate was manually uploaded and must be renewed before it expires.

  2. Managed Certificates with Missing DNS Validation — The DNS validation record (challenge) is missing or invalid, preventing automatic renewal.

Once the missing DNS record is restored or the certificate is renewed manually, the notifications will automatically clear.

How To: Update Expired Certificates

The UI will alert you about certificates nearing expiration and recommend replacing them beforehand:

  • Indicator on the domain card (currently shown only for manually uploaded certificates)

  • UI banner as described above in In-Portal Notifications section

How to identify which certificate method is being used

In the relevant profile, select the domain and click on it to open the side panel. In the Certificates & Domain Management section, the selected radio button indicates the certificate method:

  • Upload Certificate – A manually uploaded certificate that must be renewed by the user.

  • Managed Certificate – A certificate automatically issued and renewed by the system (requires valid DNS validation records).

Choose the certificate method you are using:

If you use Check Point's Managed Certificate with CloudGuard WAF as a Service, your certificates will renew automatically. However, they won't renew if the DNS ownership CNAME value has been removed from the DNS records.

There are two possible scenarios:

1. The certificate is about to expire

The certificate is still valid, but renewal failed because the DNS ownership CNAME record was removed.

What To Do?

You need to add the DNA ownership CNAME record provided.

  1. Log in to the Infinity Portal.

  2. Open the WAF application from the application menu.

  3. Navigate to the Profile page and choose the relevant SaaS Profile.

  4. Choose the domain you would like to replace the certificate to.

  5. Navigate to the Certificates & Domain Management section at the top of the menu.

  6. Add the CNAME record's name and value in the DNS records management in the DNS provider portal.

  7. Click Enforce.

2. The certificate has expired

The certificate has already expired. Adding the DNS record back will not trigger renewal. To issue a new managed certificate, the domain must be recreated.

What To Do?

  1. Delete the affected domain from the WAF SaaS portal.

  2. Click Enforce.

  3. Recreate the domain.

  4. Complete the regular onboarding flow, including adding the required DNS validation records in your DNS provider.

PreviousHow To: Extend Connection Timeout to UpstreamNextAgent CLI

Last updated

Was this helpful?