Skip to main content
banner image
venafi logo

Your Certificate Expired, Now What? [Expert Guide]

Your Certificate Expired, Now What? [Expert Guide]

my-certificate-expired-what-do-i-do-guide
November 10, 2020 | Sandra Chrust

A certificate expires and systems go down. The first thing you want to know is how to fix it—fast. And the next thing is how can you prevent this from happening in the future.

Expired certificates can manifest themselves in different ways. It depends on where the expired certificate is installed. If it’s on your main website (or load balancer), it will be obvious since no one will be able to securely view your website. You’ll likely get an onslaught of emails and complaints almost immediately. Sometimes though, system downtime is unexplained at first. If the certificate is internal to your application, systems may simply stop working but there’s no obvious cause that jumps out at you. You may spend hours looking for the root cause, only to find an expired SSL/TLS certificate.

 


How to fix an expired certificate

In all cases, the outcome of a certificate-related outage will be a negative one—for you and for your business. If you’re responsible for certificates, you may get reprimanded or spend hours investigating and fixing the problem. The adrenaline will be pumping through your veins as minutes tick on during the certificate-related outage. You’ll refer to documents and websites on how to install a certificate, teach yourself how to generate a certificate signing request (CSR), and find a certificate authority to request a new certificate. The minute you install the certificate and systems start working again, you may tell yourself that you need to burn off some steam. Maybe go for a run? Have a drink of your choice? Not so fast.

You’ll likely be invited to a postmortem meeting to discuss the reasons why the certificate expired without anyone knowing. Long, painful discussions will ensue—finger-pointing may happen, or if you are lucky, everyone will share the blame. In reality, the one thing that everyone is likely to agree on is that using spreadsheets and calendar invites are no longer a suitable option for tracking certificates.

After all the stress, you’ll close your computer for the day (or late evening). And sigh. You’ll feel some relief knowing you resolved the issue, but deep down you know that the war against expired certificates is still raging. It’s like an invisible enemy. Lurking. Waiting for the perfect opportunity to say, “Hello again, I’m expired!!” What will you when you are clearly outnumbered?

That evening your thoughts will race. You’ll realize that if you don’t have a machine identity management in place to keep track of all those certificates, this could happen again. Will you still have a job the next time around?

How to avoid expired certificates in the future

You may start by googling things like, “certificate management solution” or “machine identity management solution” or “fix expired certificate solution.” All this Googling will be helpful in educating you on possible PKI solutions; but as someone who wants to fix this “once and for all,” you’ll want to put in place a solution right away. This week. ASAP. You’ll want to show progress and be able to report back to management on the state of all your SSL/TLS certificates.

If you are lucky enough, you’ll hit the Venafi website and discover Venafi Cloud OutagePREDICT. You’ll sign up because it seems like an easy way to address your PKI pain points and it’s just a form fill away. You sign up. Swoosh, you’re in!

You’re amazed by your first login experience. Upon logging in, you see the certificate you just spent the day replacing—never to be overlooked again. Better than you thought possible. You may even start to feel like one of the beloved users who said, “I just loved it. It is amazing. Best in my lifetime. I logged in with my email address and it had all my certificates.”

After reviewing all the certificates that were automatically discovered for your domain, you’ll be hungry for more. Rather than discover every certificate in your network, you see that the tool offers a smarter way to find and organize your certificates. It allows you to create a subgroup for a given application and then find the related certificates. Smart idea. That will make it easy to know what certificates you are in charge of without sifting through hundreds or thousands of others. You dive in.

Where you’ll start seeing immediate results

You create an application called, “Retail” which represents your e-commerce application. Your Retail application is a 3-tier application. You know that it uses certificates that are externally visible on the load balancer. It also uses internal certificates on the application server and database server. You type the info needed to discover your application’s certificates:

  • For external certificates (publicly trusted by every browser), you type in a fully qualified domain name (FQDN) and/or several IP addresses
  • For internal certificates, you enter Ports and an IP Address, download a lightweight executable and run it (no install required)

Within seconds, you start to see your certificate results populating before your eyes. It’s magical. The results are so comprehensive that you see some certificates you didn’t even know about—some are expiring in less than two weeks. Another close call avoided.

You are floored. That was so easy. Effortless even. Why didn’t you do this earlier?

You set yourself as the application owner and set up your alerts so that you can be alerted before any of the certificates you’re responsible for will expire. You invite your colleague (who’s your back up when you are on PTO) to ensure she is also alerted of expiring certificates. You look at your watch. It’s been 10 minutes since you created your account. You already know you’ve hit the jackpot solution—you’ll continue tomorrow and invite more colleagues including information security and other application owners.

You close your laptop for the second time that day. This time, you feel happy and content. You have a solution. You know that you’ll impress your manager tomorrow when you show them the tool. You sleep well that night.

To follow a visual journey of the steps taken, take a look at the screenshots below. This story only scratches the surface of what OutagePREDICT can do for you. To learn more, visit https://www.venafi.com/venaficloud/outagepredict.

 

Are you ready to start your journey to preventing certificate-based outages? Sign up and use it for free.

 

 


 


 


 


 


 


 

 

Related posts

Like this blog? We think you will love this.
danger-of-sha-1-certificates-to-internal-pki
Featured Blog

The Dangers of Keeping SHA-1 Certificates in Your Internal PKI

SHA-2 offers the only secure alternative

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

CIO Study: Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

Machine Identity Protection for Dummies
eBook

Machine Identity Protection for Dummies

About the author

Sandra Chrust
Sandra Chrust

Sandra Chrust writes for Venafi's blog and is an expert in machine identity protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat