Most people may wonder why SSL certificates expire.
It can be frustrating to install an SSL certificate year after year. However, the reality is that SSL certificate expiration is crucial to the security guarantees. In fact, SSL certificates would be meaningless without them.
SSL creates a secure connection between the server and browser and makes sure that any information exchanged between these two parties is secured.
In this article, let’s explore why SSL certificates expire and how you can keep track of it.
The WHY
Every SSL certificate has a validity period or a set of dates that the certificate is legitimate and usable to create secure connections. SSL certificates become invalid after the time of validity.
When you attempt to use an expired certificate, browsers and other software cease accepting them and issue a warning. It expires just like a government identification card or credit card.
Because server authentication is one of the fundamental components of SSL, certificate validity exists. This makes it possible for the client (often your web browser) to identify the server that it is connecting to. The validity period controls and validates server legitimacy, enabling your web browser to recognize the server.
You’ll always have the most recent TLS versions and ciphers as your SSL certificate renewals must be done every two years.
Checking SSL Cert Expiration Date
Google Chrome
It’s easy to check your SSL certificate’s expiration date with Google Chrome. It requires just a few clicks, depending on the Chrome version you’re using.
Here’s how to use Google Chrome to verify the expiration date of your SSL certificate.
- Press the lock:
When you’re on the website, start by clicking the padlock icon in the address box. - Select Valid; Click “Valid” in the pop-up box’s “Certificate” prompt.
- Verify the Date for Expiration:
The Certificate icon has an expiration date next to it. To view additional details, such as verified organizational details and specifics regarding the certificate itself, click on “Details.”
OpenSSL
Here’s how to check SSL expiration using OpenSSL,
- Open a terminal.
- Enter the following command
openssl s_client -servername <NAME> -connect <HOST:PORT> 2>/dev/null | openssl x509 -noout –dates
The expiry date result appears as After=<expiration_date>.
For example, if the HOST is control.akamai.com, PORT is 443, using the OpenSSL command; you can see the expiration date is Nov 21, 23:59:59 minutes in 2021.
Both the above options can be used to check the expiry date of individual sites. But, what if you manage hundreds of sites and require keeping track of all the SSL expiry dates?
Keeping Track Of SSL Certificate Expiration Date
When you’re in charge of tens or hundreds of websites, things may get out of control very rapidly. Here’s how to keep track of multiple SSL certificate expiry dates and ensure your sites are working properly.
Google Calendar
Reminders can be added to Google Calendar to alert you about important dates. Once you have a few websites under your control, it can work quite well, but maintaining hundreds of those reminders can be a difficult task. In this case, you need to employ an SSL certificate management service.
ElevenGuard
ElevenGuard is a central system where you can track all your SSL certs. When a certificate is about to expire, you will get reminders via an email or Slack, saving you from “oops” moments that could put a red light on production servers.
Oops Moments: Famous Cases With SSL Certificate Expirations
Spotify: When the Music’s Over
One of the most famous SSL expiry certification cases is the Spotify incident.
In August 2020, Spotify experienced a temporary outage as a result of failing to renew a certificate essential to the operation of its service. The outage was caused by the expired certificate, essential for Spotify services.
According to sources, a wildcard certificate for the Spotify hostname *.wg.spotify.com was not renewed.
In addition, in May 2022, an outage on Megaphone, a podcast hosting service owned by Spotify, prevented users from accessing many of their favorite shows for more than eight hours. The failure of the business to renew Megaphone’s security certificate was the cause of the outage.
In December 2020, Spotify paid $235 million for Megaphone, marking it the streamer’s largest acquisition in its effort to assemble a complete podcasting tech stack. The solution enables the business to profit from podcast listening that occurs even on rival platforms.
Why Megaphone’s SSL certificate was allowed to expire and why it took so long to fix were not addressed by Spotify. The platform’s status page indicated that it took another eight hours to fix the problem. Podcasters encountered problems with the Megaphone CMS even after Megaphone resumed operation.
MS Teams: When Teams disconnect
Another famous oops moment is when the leader of software, Microsoft, forgot to renew MS Teams SSL certificates.
Because Microsoft neglected to renew a crucial security certificate, Microsoft Teams was unavailable in February 2020 for almost three hours. On Monday morning, users of Microsoft Teams were greeted with error warnings while attempting to sign into the service, with the app stating that an HTTPS connection to Microsoft’s servers could not be established.
Just after 9 AM, Microsoft acknowledged that the Teams service was down and later disclosed the cause of the problem. According to Microsoft’s outage message, the authentication certificate has expired, causing customers to have difficulty utilizing the service.
At 11:20 AM ET, Microsoft began distributing the update, and by noon, the majority of the affected users had their access to the service restored. Given how many people were trying to log in and start their work week, it’s odd that Microsoft would neglect to renew a critical authentication certificate.