What Is an SSL Certificate Expiry?
The SSL certificate authenticates the identity of a website owner and establishes a secure and encrypted connection to the server for its visitors. It protects their security and privacy.
But SSL certificates are not valid forever. Like your driving license or passport, an SSL certificate also has an expiration date. Past the expiration date, the server’s identity is no longer trusted.
Why Do Website Security Certificates Expire?
SSL certificates expire to ensure they reflect up-to-date information and use the latest security standards.
Assume a scenario where your passport, driving license, or government identity card never expires. However, your data in those important documents like your photo and addresses will change over time. In that case, they won’t reflect your real identity.
A similar principle applies to SSL certificates. They expire because the information you used to create the SSL certificate is no longer accurate and needs to be updated. For example, a domain owner to whom the certificate was initially issued might have changed, the organization’s rights to use the website’s domain could have changed, or the organization might no longer exist.
What Happens if an SSL Certificate Expires?
SSL certificate expiry can have many consequences. After the certificate expires, users will see an error message in the browser, indicating that the certificate has expired and the domain is not secure to access. Here are a few examples of such warning messages:
In Chrome Browser:
In Firefox Browser:
Although users do have the option to move forward and access the website despite the warning, client-server communication will not be encrypted. Therefore, both your website and users could become susceptible to cyber-attacks and viruses. This could leave users feeling unsafe and unsure about using your services, thus negatively impacting user trust.
At the same time, some systems might not even accept expired SSL certificates, so they’ll show an error. If they are unable to authenticate the server’s identity, they won’t be able to trust that the domain is safe from security vulnerabilities.
Also, if it goes unnoticed, SSL certificate outages can make websites unavailable for users ranging from thousands to millions worldwide, causing severe impacts on businesses.
Regardless of the scenario, security warnings that users see when they try to access your services block them from using your services, significantly reducing your user traffic and, consequently, sales. Thus it is vital to renew your SSL certificate on time.
How Long Do Website Security Certificates Last?
Before 2015, an SSL certificate, once issued, would be valid for five years. Later, the validity period was reduced to three years, and soon after that, it was reduced again to two years.
From September 2020 onwards, SSL certificates have a validity period of only 397 days or 13 months. However, the validity period can differ based on the type of certificate. Generally, a website’s security certificate lasts for about one year from the date of its issuance, so it needs to be renewed once a year. But at the same time, how often you need to renew them depends on the security requirement for your website and the security features of the SSL certificate. Either way, it’s the website owner’s responsibility to renew it before its expiration.
Can You Use an Expired Certificate?
You can continue using an expired SSL certificate. However, there are many security risks to using an expired SSL certificate.
The most severe risk is that your website won’t be up to date with the latest security standards. When you use an expired certificate, the web browser also flags you as a less secure website.
Most importantly, your service consumer won’t be able to verify transaction security. An SSL certificate is vital to maintaining trust between your website and your clients. Using an expired certificate makes clients vulnerable to cyber attacks, which can break their trust. Therefore, it is not recommended to use an expired certificate. A website would not last long with an expired one.
How to Check the SSL Certificate Expiration Date?
Checking the SSL certificate expiration date is an easy process that you can do mainly in two ways.
Using 3-Step Manual Certificate Expiry Check
Note: The following steps use Google Chrome UI for screenshots. However, this process is similar for browsers like Firefox or Edge.
Let’s say you want to check the expiration date of a domain using your browser.
1. Click on the padlock icon on the leftmost corner of the address bar. It will pop out an information panel about website security.
2. Click on the Connection is secure label, then click on Certificate is valid label.
3. In the General tab, locate the Valid from…to… property to see the validity period of the certificate.
Using an Automated SSL Monitoring Tool
An SSL monitoring tool helps not only to closely monitor the expiration of SSL certificates but also to easily and frequently detect changes and problems (e.g., wrong host, untrusted root) in SSL certificates. If any changes occur to the certificate, you will receive a notification prompting you to take necessary action. Thus, automated tools can be used to monitor SSL certificates proactively.
An example of notification you might get if you use an automated SSL monitoring tool is shown below.
How Do You Fix an Expired SSL Certificate?
If your web security certificate expires, you should apply for a new SSL certificate. You cannot update an existing SSL certificate.
Renewing an expired SSL certificate is a straightforward process. Here are the steps you need to follow to renew an SSL certificate.
Step 1: Create a New Certificate Signing Request (CSR)
A CSR is a form that provides a standardized way to send your information to create the SSL certificate. Include information like the organization and common name, country, city, and key size in the form to help the Certificate Authority (CA) identify your domain and its nature.
Step 2: Choose the SSL Certificate Type
The type of SSL certificate depends on the type of validation required.
A Domain Validated (DV) certificate validates the owner of the domain, an Organization Validated (OV) certificate improves the credibility of the organization of the domain, and Extended Validation (EV) provides a comprehensive validation of the domain.
You can also opt for a multi-domain or wild card certificate if you want to secure more than one domain. Depending on your company’s security requirements, you can choose one that suits you the best.
Step 3: Validate your SSL Renewal
To complete the certificate renewal process, you must complete the domain control validation (DCV) process that confirms your domain ownership rights. There are three DCV methods.
- Email validation
- HTTP validation
- DNS-based validation
Step 4: Install the SSL Certificate
Finally, once you obtain the certificate, install it on your servers. There are plenty of guidance documents on installing SSL certificates on different machines. Once you have installed the SSL certificate, it will be activated on your website.
When Is the Best Time to Apply for a Certificate Renewal?
You should apply for a certificate renewal at least one month before its expiration date. However, some experts recommend beginning the SSL certificate renewal process at the start of the last quarter of the existing certificate’s lifecycle.
Whatever timeline you decide to go ahead with, monitor the certificate for expiration and get notified about the renewal date before the expiration date. As a best practice, renew it right after you get your first expiration reminder.
You can allocate a specific resource to manually go through the renewal process or automate the certificate renewal process.
Monitor SSL Certificate Expiration with Sematext
Sematext Synthetics is a synthetic monitoring tool with SSL monitoring capabilities. It offers SSL certificate expiry checks and performs them on all the certificates in the chain – the leaf, intermediate, and root certificates. Synthetics checks for certificate changes every 10 minutes. If any of the tests fail, Sematext sends multiple alerts via the notification channel of your choosing, like Slack, Twilio, Zapier, VictorOps, and many others.
Start your 14-day free trial and see how Sematext Synthetics can help monitor your SSL certificate expiry!