What is certificate expiration?
Like other identity mechanisms such as a passport or a driver's licence,
a certificate has a fixed lifetime. The certificate includes two date fields,
indicate the certificate's start date and expiration date. These fields
are given the names not before and not after
respectively. Once a certificate's not after date has passed,
the certificate has expired and is no longer valid.
What problems can result from certificate expiration?
Certificate expiration is a normal occurrence, and if a
certificate is renewed before expiration there
will be no problems. However, if someone forgets to renew a certificate
it can have serious consequences, such as:
- A website has a big scary message pop up, and that will decrease
conversion rates at the online shop by 50+%, costing thousands
or tens of thousands of lost sales before it is fixed.
- The person who forgot to renew the certificate doesn't get
their bonus or worse.
- Financial penalties because of failure to meet the SLA on a critical
- Many man hours lost before an expired certificate is identified as the
cause of a mission critical service suddenly stopping.
- Reputational damage
These are just a few of the issues that can result from an expired certificate.
Suffice it to say, allowing a certificate to expire is something you want
to avoid at all costs.
What can I do to reduce the risk of an unexpected certificate expiry?
There are a number of measures you can take to reduce the risk of
being caught out by a certificate expiration. These include:
- Create an inventory of your deployed certificates.
try to do this using a manual process and a spreadsheet. However,
this is typically error prone and resource intensive. A better alternative
is to use a tool such as CertAlert to help obtain an accurate
inventory of the certificates you have deployed. Another useful tool
is Red Kestrel CertCentre that provides a centralised view
of all your certificates and allows you to annotate certificates
with additional information such as the administrator contact details
and system idiosyncrasies to be aware of.
- Actively monitor your certificates.
Use a tool like Red Kestrel CertAlert to
monitor your certificates and to send out alerts to the appropriate
parties when a certificate is approaching expiry.
- Set up a certificate operations role. This role is
certificates have been renewed and chasing up system administrators
and departments that have not renewed a certificate that is
approaching expiry. Set up a role based email
e.g., "[email protected]" and ensure this maps to
the person who is currently responsible for making sure that
certificates are renewed. This person should use a tool like CertCentre to keep
track of what certificates are deployed and which ones are approaching