Life is busy and a result, people forget to do things sometimes. However, some tasks should not be delayed and that includes renewing a website’s SSL/TLS certificate(s). SSL certificates allow a person, computer or organization to securely exchange information, such as bank account details, logins, and credit card numbers, over the web.
So you can imagine why having up-to-date certificates are particularly important for businesses such as retailers – and the problems that can arise when companies let them lapse. This includes sites being marked as unsecure and blocked by browsers, leading to reduced visitor trust and, of course, abandoned shopping carts.
But do you really want to run that risk? Probably not, and yet forgetting to renew certificates happens more frequently than you think, and it’s not restricted to any one industry.
For example, in the past four months LinkedIn, Pokemon Go, the UK’s Conservative Party, and even The White House all have let their SSL Certificates briefly lapse. These are obviously some very big names, and when a browser indicates a site is untrusted, the site traffic will in all likelihood take a huge nosedive. Security warnings can also cause their reputations to come into question.
In LinkedIn’s case, a few of their country subdomains expired, and as a result, a large number of users were presented with security warnings. For an established site like LinkedIn that has a large base of repeat visitors, it’s not unlikely that many of them simply clicked through the warnings and visited the site anyway. This is obviously worrisome behavior because those warnings exist for a reason. What happens if the site were actually compromised in the future and visitors ignored the warnings thinking, “oh, I’ve gotten an error trying to get to get to LinkedIn before and it turned out to be nothing; this is no big deal”?
Then there’s the White House. Let’s be honest, it’s just plan embarrassing for that site’s administrator to allow the certificates expire. Government websites are relied upon by the public and today are seen as prime targets for cyber-attacks. It is critical especially for high-level sites to retain adequate management systems to eliminate risk, while encouraging website visitors to react appropriately to potential vulnerabilities.
These incidents are unfortunate but they serve an important lesson to monitor your certificate validity periods, and also be aware of the dangers of not renewing them.
I should also point out that while the examples above are all related to public websites, SSL is also used for internal networks (arguably even more so, depending on the company) and unexpected expirations can have disastrous consequences there as well. When your processes are dependent on those certificates – for encryption, mutual authentication, etc. – an expired certificate can bring everything to a screeching halt.
Avoiding SSL Expiration
So to recap, you definitely don’t want to be like one of the companies mentioned above that lets their certificates expire, but what can you do to prevent it? Here are some tips:
- Don’t rely on spreadsheets! It hurts my heart a little to hear that people are still relying on manually updated spreadsheets to keep track of their certificates. While I can’t tell you what to do, the potential issues with this system stress me out – What if someone forgets to update the file? What if someone accidentally overwrites it with incorrect information? What if your system crashes and you lose the whole thing (assuming you didn’t back it up)? Ah!
- Leverage your CA’s certificate management portal. I think most CAs at this point offer some kind of management interface where you can see all certificates you have ordered from them and filter for upcoming expirations. And if yours doesn’t…well, perhaps it’s time to check out other options.
- Check the email address tied to your certificates. At GlobalSign, we have email reminders on by default that get sent periodically leading up to a certificate’s expiration date (you can control the frequency and turn them off completely if you want though). However, these reminders are all for naught if they are going to an incorrect address (for example, an old employee who is no longer with the company) or an account that isn’t frequently checked.
- Worried you might have some rogue certificates out there that are unaccounted for? There are inventory tools out there designed for exactly this situation, many of which will locate certificates regardless of issuing CA and location (i.e., public-facing or internal). This actually brings me to my last point…
- Do a complete certificate inventory! You might think you have a handle on all your certificates – you’re using your CAs management portal, getting email alerts, maybe even syncing your renewal periods – when, bam, you learn that some random certificate expired and now everyone’s blaming you. Doing a full scan of both your public and internal networks makes you aware of everything you’re working with so you can be prepared for when that random certificate Bob from the dev teamed ordered is up for renewal.