Skip to main content

Certificate expiration banner

If a certificate in your environment is about to expire, a banner about this upcoming expiration will appear. Only operators with permissions to change the certificate will see this banner.


Generally, when this banner appears, action by you is required.

banner on top of page about a certificate that expired.

The notification appears in two variations:

  1. A SAML certificate for ... (see image above) to indicate that a SAML certificate will expire. SAML is used for Single sign-on (SSO).

  2. An SSL certificate for ... to indicate that any (non-SAML) certificate located in the TOPdesk truststore will expire. The TOPdesk truststore basically contains all certificates uploaded to your TOPdesk environment that are needed to set up secure connections.

A few general remarks about the certificate expiration banner:

  • The warning can be clicked away, but shows up again when you log in again.

  • A separate banner appears for every certificate that is about to expire.

  • The warning is not shown anymore if the relevant certificate is deleted from the truststore, or if a new valid certificate for the same domain is uploaded. However, as TOPdesk only checks the validity of certificates every few hours, you might still see the banner appear in the first hours after a certificate was replaced.

  • If multiple certificates for the same domain are present in the truststore, only the one with the most recent expiration date is taken into account.

Next, we dive deeper into the specifics of the two variations of the certificate expiration banner.

SAML certificate expiration

If a SAML certificate will expire in one month or less, all Operators with permission to edit the SAML configuration(s) will see this banner.

Replacing the certificate in time is important, because logging in with SAML will no longer work properly if the certificate has expired.

After you replaced the certificates in the SAML configuration, you will need to update the TOPdesk metadata on your Identity Provider. By making sure the metadata in both TOPdesk and the Identity Provider is updated, both parties will still be able to communicate with each other.

Other expiring certificates

If any (non-SAML) certificate will expire in one month or less, up until a week after it has expired but hasn't been replaced, a banner is shown to all Operators with permissions to uploade certificates on the Certificates settings page.

There are various TOPdesk functionalities that use the certificates for which the banner might appear:

  • Outgoing emails

  • Mail import

  • Customized imports

  • Login settings

  • Action Management settings

  • Exchange Calendar

Obtaining a certificate

In most cases, the best first step is to contact the manager of the server that's used for the connection, such as the mail server.

For more help on retrieving certificates, see knowledge items KI 5840 (mail server certificate) and KI 5040 (certificate for SSL/TLS services) on My TOPdesk. You find these knowledge items, plus more related content, in KI 12266.

If multiple functionalities use the same certificate, you only need to upload the certificate once.

TOPdesk expects a public certificate in the CER, CRT or CERT format.

Removing (inactive) certificates

It might occur that you stopped using a certain functionality and the banner appears for an 'inactive' certificate. In that case, it's good to clean up the list of certificates in the Certificates settings.

We advise to first check if the certificate is used by a different functionality as well. If so, you cannot remove the certificate unless that other functionality is also inactive.

After you have removed the certificate, you can also clean up the inactive functionality.