Notifications
The Serverless CA module provides SNS notifications for different events. You can directly subscribe to the CA Notifications SNS Topic to receive email notifications.
You can also add your own infrastructure to that provided by the module, and deliver customised messaging to your CA administrators and users, for example:
Notification types
| Event | GitOps | Lambda Invocation |
|---|---|---|
| Certificate Expired | ✅ | - |
| Certificate Expiry Warning | ✅ | - |
| Certificate Issued | ✅ | - |
| Certificate Request Rejected | ✅ | ✅ |
| Certificate Revoked | ✅ | ✅ |
Certificate Expired
A SNS notification is published when a GitOps certificate expires, if a replacement certificate with a matching subject Distinguished Name hasn't been issued:
Certificate Expired notifications can be disabled by setting Terraform variable expiry_reminders to an empty list. This will prevent deployment of the Expiry Lambda function, and also disable Certificate expiry warnings.
Certificate Expired notification - example JSON:
{
"CertificateInfo": {
"CommonName": "test-expiry.example.com",
"SerialNumber": "430630438465918376136249210634111108993623737029",
"Issued": "2026-03-01 20:28:22",
"Expires": "2026-03-02 20:33:22"
},
"Base64Certificate": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM2VENDQW8rZ0F3SUJBZ0lVUzI0aS8wV2p0NGhvdXVSMVJhRGV2b1l6UXNVd0NnWUlLb1pJemowRUF3SXcKYWpFWk1CY0dBMVVFQXd3UVEyeHZkV1FnU1hOemRXbHVaeUJEUVRFTE1Ba0dBMVVFQmhNQ1IwSXhEekFOQmdOVgpCQWNNQmt4dmJtUnZiakVSTUE4R0ExVUVDZ3dJUTJ4dmRXUWdRMEV4SERBYUJnTlZCQXNNRTFObFkzVnlhWFI1CklFOXdaWEpoZEdsdmJuTXdIaGNOTWpVeE1UTXdNVFUwTVRRNVdoY05Nall4TVRNd01UVTBOalE1V2pDQmdERVgKTUJVR0ExVUVBd3dPUTJ4dmRXUWdSVzVuYVc1bFpYSXhDekFKQmdOVkJBWVRBa2RDTVE4d0RRWURWUVFIREFaTQpiMjVrYjI0eEZ6QVZCZ05WQkFvTURsTmxjblpsY214bGMzTWdTVzVqTVJ3d0dnWURWUVFMREJOVFpXTjFjbWwwCmVTQlBjR1Z5WVhScGIyNXpNUkF3RGdZRFZRUUlEQWRGYm1kc1lXNWtNRmt3RXdZSEtvWkl6ajBDQVFZSUtvWkkKemowREFRY0RRZ0FFUGNTK0ZPbnN2WFduWnQxWmNLQnRXdHlla0dVUGhlbWVYMkhmQ0RlclNGZGhNRFQxSEVmeApPQWtnckNiUFhORitxTC9zT1hMd3FTR3FrZzFicFF0dVVLT0IrekNCK0RBT0JnTlZIUThCQWY4RUJBTUNCYUF3CkV3WURWUjBsQkF3d0NnWUlLd1lCQlFVSEF3SXdFd1lEVlIwZ0JBd3dDakFJQmdabmdRd0JBZ0V3SFFZRFZSME8KQkJZRUZFdm50YkJnOGMxcSs4elZyaTR4VXVPMkZONjlNRWdHQTFVZEh3UkJNRDh3UGFBN29EbUdOMmgwZEhBNgpMeTlqWlhKMGN5NWpiRzkxWkMxallTNWpiMjB2YzJWeWRtVnliR1Z6Y3kxcGMzTjFhVzVuTFdOaExXUmxkaTVqCmNtd3dVd1lJS3dZQkJRVUhBUUVFUnpCRk1FTUdDQ3NHQVFVRkJ6QUNoamRvZEhSd09pOHZZMlZ5ZEhNdVkyeHYKZFdRdFkyRXVZMjl0TDNObGNuWmxjbXhsYzNNdGFYTnpkV2x1WnkxallTMWtaWFl1WTNKME1Bb0dDQ3FHU000OQpCQU1DQTBnQU1FVUNJUURsR0tjVVNjSkRLek54MDlyQjZBM3cvRnNDVlc0NmpwOE56VWtXVU9RNnFnSWdDV05WCkVMaDBHQzVtQ3NHNWdOMkw5UEVHbllTRi8xVEh1Vkd5QmRaS3ZEZz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=",
"Subject": "CN=test-expiry.example.com",
"DaysRemaining": 0
}
Certificate Expiry Warning
SNS notifications are published for GitOps issued certificate expiry according to the schedule in days set by the Terraform variable:
expiry_reminders = [30, 15, 7, 1]
Certificate expiry warnings can be disabled by setting Terraform variable expiry_reminders to an empty list. This will also disable Certificate Expired notifications.
Expiry checks are performed by a dedicated Expiry Lambda function, only deployed when expiry_reminders is not empty, and cert_info_files contains tls.
Certificate Expiry warning - example JSON:
{
"CertificateInfo": {
"CommonName": "pipeline-test-expiry-reminder",
"SerialNumber": "430630438465918376136249210634111108993623737029",
"Issued": "2026-03-01 20:28:22",
"Expires": "2026-03-03 20:33:22"
},
"Base64Certificate": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM2VENDQW8rZ0F3SUJBZ0lVUzI0aS8wV2p0NGhvdXVSMVJhRGV2b1l6UXNVd0NnWUlLb1pJemowRUF3SXcKYWpFWk1CY0dBMVVFQXd3UVEyeHZkV1FnU1hOemRXbHVaeUJEUVRFTE1Ba0dBMVVFQmhNQ1IwSXhEekFOQmdOVgpCQWNNQmt4dmJtUnZiakVSTUE4R0ExVUVDZ3dJUTJ4dmRXUWdRMEV4SERBYUJnTlZCQXNNRTFObFkzVnlhWFI1CklFOXdaWEpoZEdsdmJuTXdIaGNOTWpVeE1UTXdNVFUwTVRRNVdoY05Nall4TVRNd01UVTBOalE1V2pDQmdERVgKTUJVR0ExVUVBd3dPUTJ4dmRXUWdSVzVuYVc1bFpYSXhDekFKQmdOVkJBWVRBa2RDTVE4d0RRWURWUVFIREFaTQpiMjVrYjI0eEZ6QVZCZ05WQkFvTURsTmxjblpsY214bGMzTWdTVzVqTVJ3d0dnWURWUVFMREJOVFpXTjFjbWwwCmVTQlBjR1Z5WVhScGIyNXpNUkF3RGdZRFZRUUlEQWRGYm1kc1lXNWtNRmt3RXdZSEtvWkl6ajBDQVFZSUtvWkkKemowREFRY0RRZ0FFUGNTK0ZPbnN2WFduWnQxWmNLQnRXdHlla0dVUGhlbWVYMkhmQ0RlclNGZGhNRFQxSEVmeApPQWtnckNiUFhORitxTC9zT1hMd3FTR3FrZzFicFF0dVVLT0IrekNCK0RBT0JnTlZIUThCQWY4RUJBTUNCYUF3CkV3WURWUjBsQkF3d0NnWUlLd1lCQlFVSEF3SXdFd1lEVlIwZ0JBd3dDakFJQmdabmdRd0JBZ0V3SFFZRFZSME8KQkJZRUZFdm50YkJnOGMxcSs4elZyaTR4VXVPMkZONjlNRWdHQTFVZEh3UkJNRDh3UGFBN29EbUdOMmgwZEhBNgpMeTlqWlhKMGN5NWpiRzkxWkMxallTNWpiMjB2YzJWeWRtVnliR1Z6Y3kxcGMzTjFhVzVuTFdOaExXUmxkaTVqCmNtd3dVd1lJS3dZQkJRVUhBUUVFUnpCRk1FTUdDQ3NHQVFVRkJ6QUNoamRvZEhSd09pOHZZMlZ5ZEhNdVkyeHYKZFdRdFkyRXVZMjl0TDNObGNuWmxjbXhsYzNNdGFYTnpkV2x1WnkxallTMWtaWFl1WTNKME1Bb0dDQ3FHU000OQpCQU1DQTBnQU1FVUNJUURsR0tjVVNjSkRLek54MDlyQjZBM3cvRnNDVlc0NmpwOE56VWtXVU9RNnFnSWdDV05WCkVMaDBHQzVtQ3NHNWdOMkw5UEVHbllTRi8xVEh1Vkd5QmRaS3ZEZz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=",
"Subject": "CN=pipeline-test-expiry-reminder",
"DaysRemaining": 1
}
Issuing a new certificate, with subject distinguished name matching the old one, will clear expiry reminders for that certificate common name.
Certificate Issued notification
When a certificate is issued via the GitOps process, a notification is published to the CA Notifications SNS Topic:
Certificate Issued notification - example JSON:
{
"CertificateInfo": {
"CommonName": "pipeline-test-csr-s3-upload",
"SerialNumber": "725732270238932467356021650679497159468001185756",
"Issued": "2026-02-08 08:11:41",
"Expires": "2026-02-09 08:16:41"
},
"Base64Certificate": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNZRENDQWdlZ0F3SUJBZ0lVZng3MTQ3QXc5bnVUR2FwOGJtclZtc0Jxejl3d0NnWUlLb1pJemowRUF3SXcKY1RFZU1Cd0dBMVVFQXd3VlUyVnlkbVZ5YkdWemN5QkpjM04xYVc1bklFTkJNUXN3Q1FZRFZRUUdFd0pIUWpFUApNQTBHQTFVRUJ3d0dURzl1Wkc5dU1STXdFUVlEVlFRS0RBcFRaWEoyWlhKc1pYTnpNUXN3Q1FZRFZRUUxEQUpKClZERVBNQTBHQTFVRUNBd0dURzl1Wkc5dU1CNFhEVEkyTURJd09EQTRNVEUwTVZvWERUSTJNREl3T1RBNE1UWTAKTVZvd2daSXhKREFpQmdOVkJBTU1HM0JwY0dWc2FXNWxMWFJsYzNRdFkzTnlMWE16TFhWd2JHOWhaREVMTUFrRwpBMVVFQmhNQ1ZWTXhIakFjQmdOVkJBY01GVTkyWlhKeWFXUmxJRU5UVWlCTWIyTmhkR2x2YmpFWk1CY0dBMVVFCkNnd1FUM1psY25KcFpHVWdRMU5TSUU5eVp6RVBNQTBHQTFVRUN3d0dSR1YyVDNCek1SRXdEd1lEVlFRSURBaE8KWlhjZ1dXOXlhekJaTUJNR0J5cUdTTTQ5QWdFR0NDcUdTTTQ5QXdFSEEwSUFCTDRFWk44QmZHRHBPZjlmTis5QgpENUFhZGxXSXRyT3dUMVZKRHp0UitCRksrSTk0WjZjZGFLUnBudVdQVTdiYWRGcHJaQ3B2T09OMVNtZGFKSWRnCkRRbWpXekJaTUE0R0ExVWREd0VCL3dRRUF3SUZvREFUQmdOVkhTVUVEREFLQmdnckJnRUZCUWNEQWpBVEJnTlYKSFNBRUREQUtNQWdHQm1lQkRBRUNBVEFkQmdOVkhRNEVGZ1FVamcwM1lZRkxSTVpzS042bjdVMGxKbUVPQnpNdwpDZ1lJS29aSXpqMEVBd0lEUndBd1JBSWdUQTVqcVhuTm9IOWZpN1NIanVteW5FdmsyY1lUVW4yWmtDcUJoRlpiCklPUUNJRUpKR21HUHhFcTR1M3UxQ1l0bjhZRjBHT0tQOWpCbWxjWWE1cUdLeXMvRAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==",
"Subject": "ST=New York,OU=DevOps,O=Override CSR Org,L=Override CSR Location,C=US,CN=pipeline-test-csr-s3-upload"
}
Certificate Request Rejected notification
Certificate request rejections result in a SNS Notification. Possible reasons for rejection include:
- CSR must include a Common Name
- Lifetime must be at least 1 day
- Private key has already been used for a certificate
Certificate Request Rejected notification - example JSON:
{
"CSRInfo": {
"CommonName": "test-client-cert",
"Lifetime": 1,
"Purposes": [
"client_auth"
],
"SANs": []
},
"Base64CSR": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQlBqQ0I1QUlCQURDQmdURVlNQllHQTFVRUF3d1BRMnh2ZFdRZ1FYSmphR2wwWldOME1Rc3dDUVlEVlFRRwpFd0pIUWpFUE1BMEdBMVVFQnd3R1RHOXVaRzl1TVJjd0ZRWURWUVFLREE1VFpYSjJaWEpzWlhOeklFbHVZekVjCk1Cb0dBMVVFQ3d3VFUyVmpkWEpwZEhrZ1QzQmxjbUYwYVc5dWN6RVFNQTRHQTFVRUNBd0hSVzVuYkdGdVpEQloKTUJNR0J5cUdTTTQ5QWdFR0NDcUdTTTQ5QXdFSEEwSUFCUDNhaU1CVzV5Z0haYmZzbGJvYU0zMDE3b1lKdmI5UApTYzVLVWlZSVMwVFJBcmFNWEZOODVBMVRRRCswMmZyTnR1YnVENTIvNjhwMjBCTnd1Ris5VStDZ0FEQUtCZ2dxCmhrak9QUVFEQWdOSkFEQkdBaUVBOVQ3SGVkaUlpZFlZL2ZnaVNvZHU1bDNQNS9YNGc3MHRhdlQ0SWJPWjBrd0MKSVFEMw5sUTE2SlN5WEtLVmpiSlFLREhGQXhySEE0d3BKQWFjbmV3T0dkV1FqQT09Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=",
"Subject": "ST=England,OU=Security Operations,O=Serverless Inc,L=London,C=GB,CN=Cloud Architect",
"Reason": "Private key has already been used for a certificate"
}
Certificate Revoked notification
A SNS notification is published when a certificate is revoked:
Certificate Revoked notification - example JSON:
{
"CommonName": "pipeline-test-csr-s3-upload",
"SerialNumber": "253508645453578743400361452260705386159413554723",
"Revoked": "2026-02-03 21:34:04.753865",
"Subject": "ST=New York,OU=DevOps,O=Override CSR Org,L=Override CSR Location,C=US,CN=pipeline-test-csr-s3-upload"
}
Cross-account subscription to SNS Topic
To subscribe a Lambda function or other service in a separate account to the CA SNS Topic, set Terraform variables:
sns_policy_template = "cross-account"
workload_account_id = "012345678901"