Skip to main content

Critical Faults Related to End Entity or Truststore Certificates (KBA10221)




KBA# 10221



Critical or warning faults may be registered by the Delphix Engine with titles:

The certificate for end-entity "HTTPS - Engine" expires on 2023/06/14 17:23:10 EST.

The certificate for end-entity "DSP - Engine" has expired.

The certificate for end-entity "HTTPS - Engine" has expired.

The truststore certificate "CN=<engine name> CA, O=Delphix, C=US", serial number #######, has expired.

These faults indicate the certificates used for the Delphix Session Protocol (DSP) or secure HTTP (HTTPS) are approaching expiration or have expired.


Applicable Delphix Versions

Click here to view the versions of the Delphix engine to which this article applies
Date Release
June 21, 2023
May 25, 2023
Apr 13, 2023 |
Mar 13, 2023 | Mar 20, 2023 |
Feb 13, 2023
Jan 12, 2023
Releases Prior to 2023
Major Release All Sub Releases





Delphix Certificates Explained

The Delphix Engine automatically generates self-signed certificate for DSP and HTTPS use; these certificates will be signed by a self-generated certificate authority (CA).  Typically these will be referenced as "self-signed" certificates. 

These can be replaced as needed with custom certificates, but in either case, the Engine will monitor for expiration of these certificates, and will generate faults accordingly.

Self-signed certificates may be valid for 4 years from date of Engine installation, or 397 days from date of Engine installation.  This will vary depending on the original Engine version installed.


DSP certificate are only used if Custom Authorizations are configured, which typically also use a signed replacement certificate.  Custom Authorizations enable the usage of Engine certificates in Environment communication, Engine Replication, or Network Performance Testing.

Note, these apply to Continuous Data Engines only; Continuous Compliance Engines do not leverage DSP.


HTTPS certificates are only used if the Engine has HTTP disabled, or if HTTPS connectivity is used in the Environment (indicated in browser address bar by https:// prepended to Engine address). These may also be self-signed, or using a signed replaced certificate.




Whether this fault is of concern ultimately depends on the use of the Engine, connectivity, and the security configuration.

  • If HTTPS is not in use, the expiration of an installed certificate can be marked Ignored, as it's not relevant to the current Engine access methods. There will be no difference in access.
  • If HTTPS is in use, the connection may be indicated as untrusted by the web browser used to access the Engine once certificate expires. However, access will not be blocked.




Administrators have several options available depending on the current Engine usage. It is at this time we also strongly recommend that the Delphix Administrator confer with their IT or Security teams to ensure compliance with any internal policies for trusted connections.

  • If certificates are actively used, they can be replaced.  Whether self-generated (self-signed) certificates are regenerated or new certificates are generated and signed by a trusted authority depends on infrastructure requirements. The details of these processes can be found in Product Documentation:

Regenerating Self-signed end-entity certificates -

Delphix provided key pair configuration (this option may not be viable if the CA certificate has expired) -

Customer provided key pair configuration


Replacement processes are fully customer-serviceable, and do not require Support intervention to complete.

  • If certificates are not actively used, the faults can be ignored. There will be no functional issue in doing this, and the certificates can still be replaced at a later date if so desired.
CA Certificates

One deviation does exist, in that the initial CA certificate generated by the Engine at installation currently can not be removed.  A new CA certificate can be installed as needed to establish chain of trust, but the initial CA certificate is currently blocked from removal. As a result, regardless of the resolution path selected, the fault related to the original self-generated CA certificate will have to be marked Ignored.

A self-generated CA certificate will include "Engine <engine name> CA" in the Issued By and Issued To fields when selected in the truststore.





Related Articles

The following articles may provide more information or related information to this article: