How to avoid SSL outages and renew certificates

What does an SSL certificate outage mean?

SSL (Secure Sockets Layer)/TLS (Transport Layer Security) certificates are designed to provide a secure communication channel between clients and servers over the internet. An SSL certificate outage or error occurs when a web browser can't verify the certificate installed on a site. Rather than connect the requestor, the browser will display an error message warning that the site may be insecure.

An SSL certificate outage can happen for several reasons, with the most common being an expired certificate. When an SSL certificate expires, browsers and users can no longer trust the site, leading to security warnings and potential loss of traffic. These certificate-related outages not only disrupt your services but can also expose vulnerabilities that cybercriminals might be able to exploit. To prevent this, IT teams must stay vigilant and implement a proactive approach to SSL certificate management.

According to industry standards, SSL certificates currently cannot have a lifespan longer than 398 days. That means that every website needs to renew or replace its SSL certificate at least once every two years.

This will change, as 90 day validity periods are expected to be put into place soon. This shift to shorter validity periods will make efficient certificate lifecycle management practices even more important.

Note that SSL/TLS certificates are offered with three levels of validation: Domain Validation (DV) for basic domain ownership verification, Organization Validation (OV) for additional organizational legitimacy checks, and Extended Validation (EV) for the highest trust level with thorough business verification (the standard for eCommerce websites).

What happens when you have expired SSL certificates?

Web server downtime is costly. According to Information Technology Intelligence Consulting's 11th annual Hourly Cost of Downtime Survey, over 98% of large enterprises with more than 1,000 employees say that on average, a single hour of downtime per year costs their company over $100,000. That's $1,667 per minute of downtime for a single server, growing to $16,670 per minute when downtime affects 10 servers and critical business applications or data assets.

Unidentified, expired SSL certificates result in multiple process interruptions, ranging from a simple error message on a screen to an abrupt termination of service due to a protocol error. Additional causes of SSL certificate problems and outages include:

• The certificate is not a trusted certificate; i.e., it is not digitally signed by a Certificate Authority (CA). Browsers only trust certificates that come from a trusted organization on their list of certificates, and not an untrusted site. The solution may require an intermediate certificate to establish that the website’s certificate was issued by a valid root CA.
• The certificate installation was not properly completed on the server (or servers) hosting the site.
  
• A name mismatch error occurs for the URL in question. For example, the domain name https://www.example.com might be included in the certificate while https://example.com is different and might not be registered as a part of the SSL certificate. In these cases, an SSL certificate needs to secure multiple subdomain names as well as the root domain name.
• The site is lacking a dedicated IP address.
• A secure page (HTTPS) contains an element that’s being loaded from an insecure page (HTTP). The element on the insecure page could be an image, iframe, Flash animation, or snippet of JavaScript — prompting the browser to display an error message instead of loading the page. These instances of mixed content errors compromise the security of the page, leaving the door open for an on-path attack by cybercriminals.
• Invalid SSL certificate or intermediate certificate errors could occur when, as a website owner, you are trying to install the certificate on your web server or CDN, but the relevant certificate details are not provided correctly.

What happens without SSL?

A website without the encryption provided by an SSL certificate is highly vulnerable to cyberattacks and data breaches, putting visitor and customer data at risk. Moreover, search engines penalize unsecured websites by blocking user access, lowering their website’s SEO rankings, and displaying "Not secure" warnings in browsers like Google Chrome and Firefox. Such warnings, along with error messages like ERR_SSL_PROTOCOL_ERROR, can erode customer confidence and damage a business's brand.

Check out Sectigo’s Root Causes podcast for more discussions on why certificates expire in the first place.

The challenge of manual certificate management

Failure to renew or replace an expired SSL/TLS certificate means that any communication to that machine will cease to work. Knowing where each certificate is installed, who controls access to that machine, and when the certificate will expire is essential to business continuity.

Organizations with distributed certificate creation and management teams, such as web hosting providers, can quickly find themselves dealing with hundreds of thousands of digital certificates to manage, with more being created daily. Lack of centralized ownership, automation, and more critically, a lack of organizational visibility, sets the stage for human error and unidentified SSL certificate errors.

Even with the help of email notifications for certificate expiration dates, enterprises who manually manage certificates and their renewals are at risk of them expiring due to gaps in ownership, caused by human error, vacation, or staff turnaround. When a breach occurs in this environment and time is of the essence, troubleshooting to mitigate widespread risk can be near impossible.

A commitment to proactive monitoring and management is a critical step toward preventing SSL certificate outages.

Avoiding SSL certificate outages with Automated Lifecycle Management

There's no better time to discover, control, and automate the lifecycle of all digital certificates in your environment than now. That starts with picking the right Certificate Authority. The simple truth is the right CA partner offloads a range of routine tasks critical to the business that most IT teams simply don’t have the time, resources, or expertise to perform. When all the other benefits of trusted certificates are added along with the services provided by a CA, the return on that investment compounds.

Sectigo, Certificate Authority trusted worldwide, provides certificate automation solutions that allow enterprises to be agile and efficient while maintaining control of all the security certificates in their environment. Sectigo Certificate Management (SCM) supports automated installation, revocation, and renewal of SSL/TLS and non-SSL certificates via industry-leading protocols, APIs, and third-party integrations. All Sectigo SSL/TLS certificates enable 256-bit encryption, the strongest encryption available for web connections.

With SCM, organizations can deploy an automated certificate management environment with certificate discovery – in-depth scanning that uncovers and monitors any digital certificates installed across an entire environment regardless of the issuing Certificate Authority (CA). For example, you can drop a Sectigo Proxy in your Microsoft Windows Active Directory server and start issuing both public and private certificates immediately.

Sectigo offers several automation capabilities, including support of the Automated Certificate Management Environment (ACME) protocol. This standard automates certificate lifecycle management communications between CAs and a company’s web servers, email systems, user devices, apps, and any other place Public Key Infrastructure certificates (PKI) are used. SCM ACME support ensures that certificates are correctly configured and implemented without any human intervention needed. This automated approach not only helps reduce risk but allows IT departments to control operational costs and scale certificate issuance quickly.

With more than 100 million certificates issued and the widest selection of options for any sized website, Sectigo is the best choice for your SSL certificate needs.

Steps to renewing an SSL certificate

Use the following steps to renew your Sectigo SSL certificate:

• Step 1: Log in or start the renewal process

Existing customer: Log in to your account. If your certificate is set to expire within 90 days, you'll see a renewal option next to your SSL certificate.
New customers: After Selecting the appropriate SSL certificate, click on “Renew Now” instead of “Add to Cart.”

• Step 2: Complete de form and payment

Fill out the renewal form and proceed with your payment.

• Step 3: Generate the Certificate Signing Request (CSR)

Create the CSR, which includes the public keys required for the certificate.

• Step 4: Submit the CSR

Send the CSR code to Sectigo, your certificate authority.

• Step 5: Complete Validation and Installation

Finish the validation process and install your renewed SSL certificate.

Ensure your SSL certificates are up to date and configured correctly to avoid any type of SSL error or outage with the help of Sectigo. Explore our SSL/TLS certificates and learn how our automated Certificate Management platform can improve your organization's cybersecurity posture today.

Want to learn more? Get in touch to book a demo of Sectigo Certificate Manager!

Related posts:

How to renew SSL certificates & how to automate the process

What is a certificate management system and when is an automated system needed?

What happens when your SSL certificate expires & how to renew