Back to Posts List

What happens when your SSL / TLS certificate expires

Share this article




Last updated September 13th, 2018 by Damien Jordan in Monitoring

SSL / TLS certificate expired

We live a busy life and as a result, we all forget to get some tasks done on time. The fact is that some things should not be delayed and a good example of this renewing your SSL / TLS certificates. What an SSL certificate does is to allow a person, a computer or an organization to exchange information in a secure way. This information is usually a sensitive one – login credentials, bank details, credit card information, etc. SSL certificates, unlike other services that are automatically renewed until canceled, have a set expiration date. The consequences of having your certificate expire could severely harm your business and image.

Why do SSL / TLS certificates expire?

You might think that SSL certificate renewal is just a mechanism of the Certificate Authority to make more money? That is not the case. In fact, the certificate expiration is really important to the security of guarantees of SSL. SSL would be useless without its expiration.

Certificate validity exists because one of the main features of SSL is server authentication. This is the feature that allows you (the client’s web browser) to know the identity of the server you are trying to connect to. The lack of such authentication you would not know if you are reaching the authentic website or someone who is spoofing that site. You might think that this is uncommon and hard to do, but you’d be very wrong. It is extremely easy without the protection of SSL.

What will happen if my SSL / TLS certificate expires?

The first thing your visitors will experience when they open your website and your certificate had expired is a browser message saying that your site is not secure. The website is marked as unsecure and the browser will not open it unless further actions from the user are taken.

Connection is not private

 You would not want that happening to your website, do you? You also might think that big companies and businesses like LinkedIn, Cisco, The White House, Pokémon Go, The UK Conservative Party etc. would not let their SSL certificates expire? Well, you will be wrong – they all had SSL certificate issues in the past year. They are all very big names, but when a browser indicates that a site is untrusted, the traffic will most likely drop down significantly.

LinkedIn had a few country subdomains that expired, and as a result, quite a large number of the users were welcomed by security warnings in their browsers. Since this is a large and well-known website a lot of the users (but not all) simply ignored the warning. However, if this was a different website (a far-less famous one), most of the users would have exited the page.

As for the Pokemon Go’s case – back in January 2018 they were having a lot of bugs alongside other problems. And on top of that their SSL certificate expired. The issue lasted for no more than half an hour, but it did not go unnoticed. As for the Pokemon Go’s case – back in January 2018 they were having a lot of bugs alongside other problems. And on top of that their SSL certificate expired. The issue lasted for no more than half an hour, but it did not go unnoticed.

In Cisco’s case dating just about a month ago, Cisco let an SSL certificate expire in their VPN kit and broke network provisioning brokers. As Cisco’s field notice explained this month, that broke APIC-EM PKI brokers, which meant that no more trustpoints can be provisioned. This prevented the addition of branch offices and other hubs, and no more device certificates could be generated.

How to avoid the SSL / TLS certificate expiration?

First of all, whatever your CA or SSL service you got the certificates from, you will be notified on regular intervals starting at 90 days out. Best practice is to renew the certificate when the first notification comes.

WebSitePulse.com provides a monitoring type called SSL/TLS Certificate Validation. This service downloads the certificate from your server and tests its configuration, expiration, and validity. OCSP (Online Certificate Status Protocol) and CRL (Certificate Revocation List) verifications are also being performed. That way you will never have to worry about forgetting to renew your SSL / TLS certificate. Try out this service by creating a 30-day Free Trial account with us where you can test this and all our other services for free for a month!

Use your CA’s certificate management portal. Most CAs offer a management interface where you can see all the certificates you’ve ordered and check when they expire. You can also always set reminders for each of the certificates in your calendar, just as an additional precaution.

What if your SSL certificate expires?

It happens to everyone, as we already mentioned above (Cisco, LinkedIn, etc). Don’t panic and try to minimize the time your users are presented with that awful security risk message. Get the certificate renewed as fast as you can and make sure that this does not happen again. Use the tips we talked about above and you should not face this kind of problem ever again.

Want to check if your SSL / TLS certificate is valid right away? Use this free SSL / TLS certificate checker.

Damien Jordan

Enjoys life to the fullest. Appreciates all that is beautifully made - quality matters. Cars and photography are the passions filling his spare time. Enjoys going out with friends as this is his way of relaxing.

comments powered by Disqus