Certificate Management

Certificate management and the lifecycle management of certificates is being an increasingly prominent piece of work for most businesses. Unlike some services that renew automatically until specifically cancelled, SSL Certificates have a set expiry date. With the maximum lifecycle of a Certificate Authority (CA) certificate being 398-days, or about 13-months, the renewal process needs to be fine-tuned to ensure no lapses in validity. The below image might look familiar, this is what is presented to visitors of a website where the certificate has expired, it’s enough to scare your customers away!

Expired certificates regularly impact business operations and no-one is safe from this; Microsoft, LinkedIn, Shopify, Spotify and even Elon’s SpaceX Starlink, have all suffered outages as a result of expired certificates. Below are some of the damaging effects that an expired certificate can have on a business;

• Warning error messages displayed by browsers when visiting the site
• Reduction in trust as the site becomes unsecure
• Decline in sales and revenue with increased shopping basket abandonments
• Corporate brand and reputation adversely affected putting the business at risk
• Users personal information is at risk from man-in-the-middle attacks
• Customers and site visitors are susceptible to fraud and identity theft

Look through these pointers below and see what you can do to avoid outages on a what should be a pain-free process of certificate management.

• Proactive Management – This can come in many flavours and typically external endpoints can be monitored and reported back on when certificates near expiration. If you have a range of certificates across your network, monthly reviews with key stakeholders, where you review upcoming expiring certificates will prevent any gotcha’s.
• Procurement Processes – Ensure that all new certificates are procured through a single managed process. When shadow IT takes over, you can find certificates from various CA’s dotted about your network.
• Certificate Transparency Monitoring – Now this one is something in public beta through Cloudflare, but this service is across of subscription tiers and will alert you to any new certificates issued through a CA that has been added to the public CT log. Get an email when a new certificate is issued ensuring the next point doesn’t get you.
• Wildcard Certificates – If you have your processes nailed down, then this will not be a problem. However, your operations team may have other pressing issues and it only takes one person providing your wildcard certificate, without documenting it, and you will miss this come renewal time. Instead of this, use subject alternative name (SAN) on your issued certificate i.e. www.domain.co.uk, dev.domain.co.uk, preprod.domain.co.uk for example, all listed as SAN’s when ordering the domain.co.uk certificate.

There is another conversation to be had here around how and where automation of the certificate renewal process can be introduced. Processes like certificate renewals are primed for automation, but some of the key points above still need to be followed.

We offer initiatives on web security and management starting from £29 per month that includes monitoring of your external endpoints and the certificates presented on them.

If you would like to discuss certificate management further, please do reach out to us at [email protected] and we will be happy to assist.

Gary Curtis

See Full Bio