Improve documentation for handling expiring PIV/CAC certificates (#534)

* Reference expiring certificate troubleshooting in oncall guide * Expiring PIV/CAC: Add suggestion to reference FPKI notifications * Expiring PIV/CAC: Add scenario with no replacements available * Fix typo * Allowlist FICAM and FPKI from spellcheck
GSA-TTS · Apr 12, 2024 · be788cf · be788cf
1 parent df84a4c
commit be788cf
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 8 deletions.
diff --git a/_articles/appdev-oncall-guide.md b/_articles/appdev-oncall-guide.md
@@ -92,14 +92,9 @@ end
 
 ![Screenshot of expiring PKI Slack alert]({{ site.baseurl }}/images/slack-pki-cert-alert.jpg)
 
-If you see a Slack alert like this, it means that a cert used to verify PIV/CAC cards will expire in 30 days. Check the
-[Federal Public Key Infrastructure Guides Certificate Authorities](https://fpki.idmanagement.gov/ca/) list for info
-on the the most up to date certs.
-
-Related articles:
-  - [Common OpenSSL command line recipes]({% link _articles/openssl-recipes.md %})
-  - [PIV/CAC Debugging guide]({% link _articles/troubleshooting-pivcacs.md %})
+If you see a Slack alert like this, it means that a certificate used to verify PIV/CAC cards will expire within 30 days.
 
+Refer to [Troubleshooting expiring PIV/CAC certs]({% link _articles/troubleshooting-expiring-pivcac.md %}) for guidance on replacing an expiring certificate.
 
 ## Response Times
 

diff --git a/_articles/troubleshooting-expiring-pivcac.md b/_articles/troubleshooting-expiring-pivcac.md
@@ -109,6 +109,32 @@ Finally, read in the certificates from the bundle and look for a replacement:
 openssl pkcs7 -inform DER -in tmp/bundle.p7c -print_certs -text
 ```
 
+## Using FPKI Notifications to prepare for a scheduled replacement
+
+If you aren't able to find a replacement certificate using the options described above, it may not
+be issued yet. GSA's FICAM program publishes [notifications for Federal PKI ecosystem changes](https://www.idmanagement.gov/fpki/notifications/#notifications),
+where you may find a notice describing whether to expect a replacement certificate to be issued
+before the scheduled expiration of the certificate.
+
+## Handling expiring certificates when no replacements exist
+
+If you've exhausted all of the options described above and there are no replacement certificates
+available up to and beyond the expiration of certificate, then it's quite possible that the
+certificate is expected to expire and not be replaced.
+
+In these scenarios, you should:
+
+1. Check logs for PKI activity issued by this certificate, to understand expected impact over the
+   course of a few weeks leading up to the expiration of the certificate.
+    ```
+    # Log group: prod_/srv/pki-rails/shared/log/production.log
+    filter issuer like /CN=[CN of expiring certificate]/
+    ```
+2. Remove the certificate from [`identity-pki`](https://github.com/18f/identity-pki) if there is
+   no replacement, the certificate has expired, and there is no activity reported in the logs above
+   which would indicate that end-users would be impacted by the expiration and removal of the
+   certificate.
+
 ## Using CloudWatch to find issuers and service providers
 
 CloudWatch may be used to find certificate-related errors by issuer and service provider.

diff --git a/cspell.json b/cspell.json
@@ -50,7 +50,9 @@
     "wargames",
     "wireframe",
     "wireframes",
-    "yubikey"
+    "yubikey",
+    "FICAM",
+    "FPKI"
   ],
   "patterns": [
     {