Learn about when SSL certificates expire, the risks of expiration, what to do when they expire, and more.
You know that SSL certificates are indispensable in keeping your website safe and secure. What happens, then, if your SSL certificates expire? This is a common problem that many businesses and websites face; after dedicating a lot of time and effort toward securing these certificates, they suddenly appear to be past their prime. When this happens, the pitfalls can be considerable.
To highlight the need for renewal, we've compiled a guide to all aspects of SSL certificate expiration: how and when this happens, which problems can follow, and what it takes to keep SSL certificates up to date.
What does it mean when an SSL certificate expires?
An SSL certificate provides powerful validation for your digital identity while securing the connections between web pages and browsers. Short for Secure Sockets Layer, an SSL certificate is typically issued by a certificate authority (CA) and can provide an instant visual boost of confidence for everyday users: a simple padlock icon in the address bar.
SSL certificates are, by nature, limited in duration. Website owners should not expect these to last forever. Rather, they must be regularly renewed to ensure that they continue to provide effective validation and protection over time.
To that end, these certificates expire after a predetermined period of time. Their specific duration has changed through the years — but currently, you can expect all SSL certificates to expire after 13 months. Expiration means that the certificate is no longer valid and that communications are no longer protected.
Can you use an expired certificate?
Technically speaking, you are not required to renew your SSL certificate. Letting it expire is certainly an option, but it's not a wise one. Similarly, you are allowed to revoke your certificate, although that solution should only be employed if you are closing your business or if you have recently suffered a breach that calls for extensive security updates.
Once your certificate expires, site visitors will encounter the "Your connection is not private" message. All further communication will be displayed in plaintext and therefore, will no longer be encrypted. Outages are a distinct possibility at this point, as are cyberattacks and a variety of other risks that we will discuss in detail below.
Risks of certificate expiration
SSL certificates represent a core component of a website security strategy. If you allow these certificates to expire, you will lose the advantages that prompted you to seek them in the first place.
To that end, the key risks associated with expiration closely resemble the hazards of not getting a certificate at all — but if your certificate expires when you're not prepared, you may find yourself under the incorrect assumption that your website is still secure and that your reputation is still strong.
Risks abound when you allow your certificates to expire, but these issues, in particular, are worth mentioning:
Outages. Any downtime whatsoever can cause your profits to plummet in the short-term while also damaging your reputation in the long run. Unfortunately, outages become a lot more likely as soon as your SSL certificate expires.
Cybersecurity. Perhaps the most alarming issue accompanying SSL certificate expiration? The increased potential for cyberattacks. After all, once your certificate expires, your communications no longer take place via an encrypted HTTPS connection. As a result, your data (and that of your customers) could be easily accessible to malicious parties.
Customer trust. As your cybersecurity suffers, so does trust among previously loyal customers. Even if you somehow manage to avoid the most problematic cybersecurity issues, your customers will be aware of your lack of certification simply because your website will suddenly display the alarming message, "Your connection is not private." Few will be willing to visit your website under these conditions and, unfortunately, these short-term concerns can eventually lead to long-term avoidance.
Retention. With a reduction in trust comes considerable damage to your customer retention rates. This is particularly true if minimal protection leaves your site open to attacks. This was clearly evident in an alarming Ping Identity survey indicating that a whopping 81 percent of consumers would be inclined to stop engaging with brands online in the aftermath of a breach.
Why do SSL certificates expire?
While SSL / TLS certificate expiration may seem inconvenient or downright frustrating, this actually happens by design and is (believe it or not) for the best. Security standards and best practices are constantly in flux, so SSL certificates also need to change with the times.
Simply put, SSL certificates would lose all meaning if they did not have a built-in shelf life. Without expiration, there is no way to know that current certificates abide by the latest security strategies — nor is there any real incentive for website owners to update their certificates.
Consider how much the cybersecurity landscape has changed in just the last few years. Now, imagine if you'd implemented SSL certificates that lasted for over a decade. Would security standards that were relevant ten years ago make much of a difference today? Of course not — and as the pace of change accelerates, we will need even more frequent certificate updates to keep up.
It might not seem like it when you’re in the midst of a complex re-issuance, especially if you manage hundreds or even thousands of certificates, but shorter validation periods can actually streamline the process of updating certificates if an automated solution is implemented. From the website owner's perspective, these short timelines can actually prove useful beyond their long-term security implications.
How long do website certificates last?
Certificate timelines sometimes vary from one category to the next, so it's important to keep differing strategies in mind as you search for the right solution. Currently, however, it's standard practice for all types of SSL certificates to last around thirteen months. As we'll touch on later, however, that is about to change.
At Sectigo, we maintain a reissuing timeline of once per year to align with the latest security standards. This applies to DV, OV, and EV certificates. These days, it’s standard practice to renew all three types of certificates after thirteen months or, specifically, 397 days.
Keep in mind that, when deadlines differ for certificates, this typically applies to code signing, as opposed to SSL certificates. Code signing certificates don’t require issuance quite as often, with periods of up to three years available before they expire. Even after expiration, timestamping can ensure that signatures remain valid. That being said, it remains worth your while to promptly renew code signing certificates, as you would for any type of digital certificate.
The main types of SSL certificates include:
Extended validation (EV). As the highest level of certification, EV provides a trustworthy option that you can count on for powerful peace of mind. The process of obtaining an EV certificate is notoriously complicated, but therein lies its value: because not just anybody can secure this certificate, it's more likely to assure even the most skeptical website visitors.
Organization validation (OV). An excellent mid-range form of certification, OV goes above and beyond DV but does not require as extensive of a verification process as EV. Where it resembles EV, however, is in the need for the Certificate Authority to verify organizational information before issuance.
Domain validation (DV). This is the most basic form of digital certification and also the most cost-effective. Another advantage? These certificates can be issued promptly. They might not provide an elite level of protection, but DV is certainly better than bypassing digital certification altogether.
Moving forward, certificate expiration may arrive even more quickly than it does today. In Google's recent Moving Forward, Together roadmap, it became abundantly clear that the maximum certificate validity will see a significant reduction: from the full 398 days available currently to just 90 days in the near future. The exact date for this switch remains unknown, but experts anticipate that shorter certificate deadlines will be in place by the end of 2024.
How to avoid SSL certificate expiration
As SSL certificate deadlines become shorter, remaining consistently aware of your certificates' status will be even more important. Thankfully, there are many options for keeping these up to date. Top strategies include:
It's surprisingly easy to manually check certificate expiry dates. Even everyday website users can take a close look at these simply by clicking on the padlock displayed in the left-hand corner of the web browser's address bar. From there, a drop-down menu should appear, revealing whether the connection is secure and providing the opportunity to view additional details.
Under the "Connection is secure" heading, you'll see the phrase "Certificate is valid." Click this and a pop-up will appear, revealing who issued the certificate, when it was issued, and when it will expire. Another option? Using your customer dashboard, you can easily view the certificate status and renew it as the expiry date draws near.
While it's possible and even easy to manually check and renew your certificates, this approach is not advised. Especially for those managing multiple certificates. Consider whether you will actually remember to check certificates or renew them as often as needed. Even if you have good intentions, it's easy to fall behind on SSL certificates. With so many cybersecurity concerns to deal with, you simply may not be capable of keeping up with constantly expiring certificates — and as we've discussed, the issue is only going to accelerate.
If you aren't ready to go it alone, make the most of automated certificate lifecycle management solutions. These take the guesswork out of SSL certificates expiration. With this system in place, you can feel fully confident about your website's security status — especially as SSL certificate protocols continue to evolve and, as we've discussed, move toward shorter re-issuance timelines.
How to renew
As the certificate expiration date looms large, you'll want to be prepared for a swift renewal. This process doesn't have to be complicated. You will receive notifications of your soon-to-expire certificate well in advance and are encouraged to begin the renewal process 30 days prior to the stated expiry date.
If you have invested in a certificate lifecycle management solution, this process will automatically be handled and your certificate will be promptly renewed. Otherwise, follow these steps to renew them on your own:
Create a certificate signing request (CSR). First and foremost, your web host will need to validate the identity of your server. This begins with generating a new CSR, which can be accomplished via cPanel. Along the way, be prepared to provide contact information or other details that validate domain ownership (depending on the type of SSL you request). This probably took several days when you first secured your now-expired certificate. In all likelihood, the timeline will remain the same for re-issuance.
Send the CSR to the CA. Your CSR is all set and you are ready to move forward with the renewal process. Next, check your email for instructions on how to send your recently generated CSR to your Certificate Authority. These details should be accompanied by a link that sends you to the next step.
Validate your certificate. Once again, you will need to confirm domain ownership. The simplest strategy involves using an email affiliated with the specific domain. Otherwise, you can use HTTP validation for verification purposes.
Install the certificate. Finally, use cPanel to access the SSL/TLS area, where you’ll find insight into your various domains and opportunities to update their certificates.
What if you want the benefits of prompt renewal but don’t want to constantly pay for new certificates? Consider investing in a multi-year plan. This provides consistent coverage but can also prompt significant savings. At Sectigo, we offer plans spanning up to a full six years.
Additionally, you are welcome to upgrade or change as you renew your SSL certificate status. Whether you want wildcard SSL for subdomains or are ready to move up to OV or EV, this is a great time to boost your protection.
Get your SSL certificate with Sectigo
As you search for a trusted Certificate Authority, take a close look at the many SSL/TLS and other digital certificate offerings from Sectigo. We offer a wide range of options, including EV, OV, and DV certificates.
Our certificates are available for a single domain or, if needed, hundreds of domains — and they can be purchased every year or in a multi-year format. Our Sectigo Certificate Manager platform allows you to automate this process so you don’t risk falling behind.
Ready to get started? Take a close look at our certificates and management services or contact us for more information.