How To Avoid SSL Outages And Renew Certificates

What is an SSL Certificate Outage Error?

SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are cryptographic protocols designed to provide a secure communication channel between clients and servers over the internet. SSL is the older encryption protocol whereas TLS is the relatively newer version. The intention behind having an SSL/TLS certificate is not just to provide authentication but also to establish the identity of the remote server with which the client browser communicates.

An SSL certificate error occurs when a web browser can't verify the certificate installed on a site. Rather than connect the requestor, the browser will display an error message warning that the site may be insecure. This often occurs when a certificate has expired. According to industry standards, SSL certificates cannot have a lifespan longer than 398 days. That means that every website needs to renew or replace its SSL certificate at least once every two years.

Note that SSL/TLS certificates are offered with three levels of validation:

• Domain Validation (DV): The CA verifies whether the applicant has rights to the specific domain name (typically through email verification). No additional information is vetted, and DV certificates can be issued within minutes.
• Organization Validation (OV): The CA not only verifies that the applicant has rights to the specific domain name but also conducts additional investigations of the applicant's organization on a basic level. This information is displayed on the certificate for enhanced trust from the site's end users.
• Extended Validation (EV): The CA verifies the business ownership and acceptable documents with regards to the company as well as ownership needs to be provided by the applicant. Apart from assuring that the applicant has the rights to the specific domain, a thorough investigation is done on the company and this information is displayed on the certificate. Further, a secure padlock is displayed in the web address of the browser, so the user gets extra assurance that the website is safe to visit.

What Happens When You Have Expired SSL Certificates?

Web server downtime is costly. According to Information Technology Intelligence Consulting's 11th annual Hourly Cost of Downtime Survey, over 98% of large enterprises with more than 1,000 employees say that on average, a single hour of downtime per year costs their company over $100,000. That's $1,667 per minute of downtime for a single server, growing to $16,670 per minute when downtime affects 10 servers and critical business applications or data assets.

Unidentified, expired SSL certificates result in multiple process interruptions, ranging from a simple error message on a screen to an abrupt termination of service due to a protocol error. Additional causes of SSL certificate problems and outages include:

• The certificate is not a trusted certificate; i.e., it is not digitally signed by a Certificate Authority (CA). Browsers only trust certificates that come from a trusted organization on their list of certificates, and not an untrusted site. The solution may require an intermediate certificate to establish that the website’s certificate was issued by a valid root CA.
• The certificate installation was not properly completed on the server (or servers) hosting the site.
  
• A name mismatch error occurs for the URL in question. For example, the domain name https://www.example.com might be included in the certificate while https://example.com is different and might not be registered as a part of the SSL certificate. In these cases, an SSL certificate needs to secure multiple subdomain names as well as the root domain name.
• The site is lacking a dedicated IP address.
• A secure page (HTTPS) contains an element that’s being loaded from an insecure page (HTTP). The element on the insecure page could be an image, iframe, Flash animation, or snippet of JavaScript — prompting the browser to display an error message instead of loading the page. These instances of mixed content errors compromise the security of the page, leaving the door open for an on-path attack by cybercriminals.
• Invalid SSL certificate or intermediate certificate errors could occur when, as a website owner, you are trying to install the certificate on your web server or CDN, but the relevant certificate details are not provided correctly.

AA web server without an SSL certificate is vulnerable to being hacked, exposing visitors and customers to a higher risk of having their data stolen. Check out Sectigo’s Root Causes podcast for more discussions on why certificates expire in the first place.

What Happens Without SSL?

Without encryption provided by an SSL certificate, your site — and the data it collects — is open to a data breach or cyber threat. Additionally:

• Search engines crack down on websites that are not secure, blocking user access through the address bar and lowering their webpage SEO ranking in Google and other search engines.
• Google Chrome, Firefox, and other browsers issue alerts about unsafe sites, requiring that all web pages be encrypted by SSL regardless of whether or not transactions take place on them or the type of content served. Any page not under https will automatically receive a “Not secure” warning at the top of the browser interface.
• Users can see error messages such as ERR_SSL_PROTOCOL_ERROR. An influx of error messages erodes confidence from visitors and customers, jeopardizing the business brand.

The risks of an expired certificate makes it essential for a business to consider how they manage their certificates.

The Impact of Manual Certificate Management

Failure to renew or replace an expired SSL/TLS certificate means that any communication to that machine will cease to work. Knowing where each certificate is installed, who controls access to that machine, and when the certificate will expire is essential to business continuity.

Organizations with distributed certificate creation and management teams, such as web hosting providers, can quickly find themselves dealing with hundreds of thousands of certificates to manage, with more being created daily. Lack of centralized ownership, automation, and more critically, a lack of organizational visibility, sets the stage for human error and unidentified SSL certificate errors.

Even with the help of email notifications for certificate expiration dates, enterprises who manually manage certificates and their renewals are at risk of them expiring due to gaps in ownership, caused by human error, vacation, or staff turnaround. When a breach occurs in this environment and time is of the essence, troubleshooting to mitigate widespread risk can be practically impossible.

A commitment to proactive monitoring and management is a critical step toward preventing SSL certificate outages.

How to Avoid an SSL Certificate Outage with Automated Lifecycle Management

There's no better time to discover, control, and automate the lifecycle of all digital certificates in your environment than now. That starts with picking the right Certificate Authority.

The simple truth is the right CA partner offloads a range of routine tasks critical to the business that most IT teams simply don’t have the time, resources, or expertise to perform. When all the other benefits of trusted certificates are added along with the services provided by a CA, the return on that investment compounds.

Sectigo provides certificate automation solutions that allow enterprises to be agile and efficient while maintaining control of all the security certificates in their environment. Sectigo supports automated installation, revocation, and renewal of SSL/TLS and non-SSL certificates via industry-leading protocols, APIs, and third-party integrations. All Sectigo TLS certificates enable 256-bit encryption, the strongest encryption available for web connections.

With Sectigo Certificate Manager (SCM), organizations can deploy an automated certificate management environment with certificate discovery – in-depth scanning that uncovers and monitors any digital certificates installed across an entire environment regardless of the issuing Certificate Authority (CA). For example, you can drop a Sectigo Proxy in your Microsoft Windows Active Directory server and start issuing both public and private certificates immediately.

Sectigo offers several automation capabilities, including support of the Automated Certificate Management Environment (ACME) protocol. This standard automates certificate lifecycle management communications between CAs and a company’s web servers, email systems, user devices, apps, and any other place Public Key Infrastructure certificates (PKI) are used. SCM ACME support ensures that certificates are correctly configured and implemented without any human intervention needed. This automated approach not only helps reduce risk but allows IT departments to control operational costs and scale certificate issuance quickly.

With more than 100 million certificates issued and the widest selection of options for any sized website, Sectigo is the best choice for your SSL needs.

When and How Do I Renew My SSL Certificate?

Use the following steps to renew your Sectigo SSL certificate:

Step 1: If you are an existing customer, log in to your account. If your certificate will expire within 90 days, you will see a renewal option next to the SSL certificate options. If you are a new customer, after selecting the right SSL certificate, instead of clicking on “Add to Cart” click on “Renew Now.”

Step 2: Fill out the form and make your payment.

Step 3: Generate the Certificate Signing Request (CSR).

Step 4: Send the CSR code (public keys) to Sectigo as your certificate authority.

Step 5: Complete the validation and installation processes.

Ensure your SSL certificates are up to date - explore Sectigo’s SSL / TLS certificates or our Enterprise Certificate Manager today.