SSL Certificate expiration will occur after the not_after date on the certificate is passed. Now that most of the web is encrypted and depends on SSL certificates, one single expired SSL certificate can cause outages that affect millions of people at once. Or, it may only affect a few people, but the service behind the certificate may be a critical one that you or your business cannot afford to let expire.
Why do SSL certificates expire? They expire to enforce a best practice of key rotation at best and requiring system administrators to pay attention the the security of the system at worst. Keys can be compromised or over time become weak in comparison to advances in computing power, and should be renewed or replaced when necessary. An expiration date on a certificate ensures that the security of the system will at least be on someone’s radar.
SSL Certificate Renew
How to Renew an SSL Certificate
How to SSL Certificate Renewal? SSL Certificate renewal can be either a simple, straight foward, routine practice or can be cumbersome depending on your experience with SSL certificates and experience with the servers the certificates are installed on. To renew SSL Certificate without downtime, make sure to monitor your certificate expiration dates or set up automated renewal.
If your SSL Certificate has expired, you may find yourself asking how to renew. That is probably why you are here in the first place. You will first need to buy a new certificate and then install it on your server. You can buy a new SSL certificate by clicking here:
SSL Certificate Expiration Monitoring
To monitor SSL certificate expiration, many systems administrators will simply set a calendar reminder. While this is old school, it is an effective measure. Additionally, you can routinely use our SSL Certificate Decoder tools to check the certificate validity dates or use the openssl and keytool commands written about below.
Automated certificate renewal with ACME is becoming an industry standard, so if you are able to use a Certificate Authority (CA) that supports the ACME protocol, like Sectigo, that is also a good route to replace monitoring with automated renewal.
Certificate Transparency tools are another option for monitoring the expiration of SSL Certificates. More information can be obtained through our article on Certificate Transparency monitoring. SSL Certificate Expiration monitoring is a critical operation in today’s infrastructure and should be prioritized near the top with other critical services. To be safe, action should be taken at least 30 days in advance of the SSL certificate expiration date.
Read our article on how to keytool list certificate expiration date to monitor SSL certificate expiration manually.
SSL Certificate Expiration Check
How to Check SSL Certificate Expiration Date
The certificate expiration date of an SSL Certificate can be checked with openssl, keytool, or even in your browser’s certificate viewer. You can upload your certificate in question to our Certificate Decoder tool and view the parsed certificate data to see when the certificate will expire and other information about the certificate.
An alternate and more hands on approach is monitoring SSL Certificate expiration by showing the certificate data with either keytool or openssl in a script that will send alerts upon an expiring certificate.
If the certificate is installed in a keystore, you can display the expiration date by listing the keystore contents.
With keytool:
keytool -list -v -keystore example.p12 will display the expiration date in the the Valid from: field. For more information on the keytool list command visit our keytool list certificate article.
To view the certificate expiration date with openssl, run:
openssl x509 -in example.com.crt -text -nooutFor a full description of how to view a certificate with openssl, visit our openssl view certificate article.
SSL Certificate Expired Fix
In order to fix an expired SSL certificate, it must first be renewed. If renewed with the same Certification Authority (CA) and having the same chain, the end entity server certificate can simply be replaced with the new certificate. Depending on your server software and configuration, this is done differently. If you would like to see examples of how to install certificates in a specific server (Apache, nginx, etc.) let us know in the comments. Some configurations also allow you to simply install the certificate and private key in a PKCS12 keystore. As always, follow the instructions given with your server type and configuration.
How long do SSL Certificates last?
Do SSL Certificates expire? SSL certificates most certainly expire, and the expiration date is defined on the not_after attribute in the certificate.
Technically there is no limit on the validity period of a certificate.
Root CA Certificate: Common to see 10-20 year validity periods.
Intermediate CA Certificate: Common to see 5-10 year validity periods.
End Entity Server Certificate: Publicly trusted certificates have a max validity period of 398 days set by the CA/Browser Forum. Server certificates issued by a private Certificate Authority (CA) ma be longer.
Client Certificates: Common to see anywhere from 1 minute to 2 years.
Conclusion
Thank you for reading our post on SSL Certificate Expiration and how to renew an SSL Certificate. Please leave a comment with any questions or comments.
Leave a Reply