What happens when your SSL certificate expires? This.
One of the most common questions we get asked is some variation on “what happens when your SSL certificate expires?” or “what happens if you don’t renew your SSL certificates on time?”
The answer is death. Swift ignominious death. Ever wonder what happened to Jeeves? Now you know. On the death certificate his cause of death just reads: “certificate expiry.”
That was a dark day for the internet…
Ok, so maybe that’s a little bit hyperbolic (and patently untrue). But certificate expiration can have some serious consequences. Today we’re going to talk about what happens when your SSL certificate expires, we’ll toss out some infamous examples of certificate expiration and we’ll even go into how to avoid accidentally letting your SSL certificates expire.
Let’s hash it out.
What happens when your SSL certificate expires?
Let’s start by answering the question we posed and then we’ll delve into some of the minutiae. SSL certificates facilitate the encryption of data in transit. By installing an SSL certificate on your website’s server, it allows you to host it over HTTPS and create secure, encrypted connections between your site and its visitors. This safeguards communication. SSL also authenticates the server.
SSL certificates are not valid forever though. They expire. There is an industry forum, the Certificate Authority/Browser Forum, that serves as a de facto regulatory body for the SSL/TLS industry. The CAB Forum dictates the baseline requirements that Certificate Authorities must follow to issue trusted SSL certificates. Those requirements dictate that SSL certificates may have a lifespan of no longer than 27 months (two years + you can carry over up to three months when you renew with time remaining on your previous certificate).
That means that every website needs to renew or replace its SSL certificate at least once every two years. So, what happens when your SSL certificate expires? It makes your sight nigh unreachable.
When a user’s browser arrives at your website it checks for the validity of the SSL certificate within milliseconds (it’s part of the SSL handshake). If the certificate is expired, it issues a warning like this:
You don’t need me to tell you that this message is essentially a death warrant for your site’s traffic, sales– whatever metric you value. While most browsers do offer an option to click through the warning, almost nobody does it. The average internet user may not know a ton about cybersecurity, but they know two things: computers are expensive and malware messes up computers. So if their browser tells them a website isn’t safe, or in this case that their connection isn’t secure, they are probably going to listen.
Why do SSL certificates expire?
This is a topic we’ve discussed quite a bit in the past, but here’s a quick rundown. As we mentioned earlier, SSL certificates help facilitate two things: encryption and authentication. The latter is the bigger culprit for certificate expiry. All SSL certificates authenticate something, even domain validation certificates authenticate a server. As with any form of authentication, you occasionally need to re-validate the information you’re using in order to make sure it’s accurate.
That’s especially true on the internet. Things change all the time. Websites change hands. Companies are bought and sold. And SSL/TLS is based on a trust model that can be undermined by that. So it’s important for Certificate Authorities that are issuing trusted certificates to ensure that the information they’re using to authenticate servers and organizations is as up-to-date and accurate as possible.
Let’s look at a practical example. Circuit City was an electronics and appliance retailer that went out of business about a decade ago. Now, imagine for a moment that SSL certificates didn’t expire. Circuit City’s assets have all been sold off or jettisoned, what if someone grabs the certificate and the domain it was issued for. Now they’re free to do whatever they want with that domain (until the certificate is revoked, but that’s a completely separate mess) and everyone’s browser would see this site as the legitimate article. Someone that didn’t realize the company was now defunct could easily be duped. After all, the certificate is legitimate.
That can’t happen. If anything, expect certificate lifespans to get shorter. At one point, SSL certificates could be issued for as long as five years. Then it was knocked down to three. Then last year it was down to two—which was a compromise because the original Google proposal was for one year. In the future certificate validity may be as short as 3-6 months. Let’s Encrypt issues 3 month certificates right now.
Authentication isn’t the only culprit for certificate expiry though. Having shorter certificate validity periods also makes it easier for the industry to roll out changes more quickly. For instance, a few years ago the SSL/TLS industry deprecated the use of SHA-1 as a hashing algorithm. As anyone that has ever ordered an SSL certificate knows, you pick the hashing algorithm during generation. With three year validity, in some cases you may have to wait as long as 39 months after the deadline before the certificate expires and SHA-1 is deprecated by that website.
Short validity periods fix this. If we were to phase out SHA-2 in favor SHA-3 (don’t worry, that’s not coming anytime soon) you could set a cutoff date for issuing SHA-2 certificates and within 27 (or 15 if it’s reduced to one year) months SHA-2 would be completely deprecated.
High Profile SSL Certificate Expirations
If you do accidentally forget to renew on time and let your SSL certificate expire, you can take some solace in knowing that you are not alone. Below, we’re going to keep a running list of high-profile SSL expirations:
Equifax would have discovered the 2017 attack that compromised millions of peoples’ personal information a lot sooner if not for an expired digital certificate. For ten months, following the expiration of the certificate, Equifax couldn’t inspect the traffic running through its own network. That, in turn, caused it to miss the high-profile breach for 76 days, until the certificate was finally replaced and inspection resumed.
In the first half of 2018, Cisco had an issue that superseded regular SSL certificate expiration—Cisco had a root expire. As we discussed a few days ago, Roots certificates are an integral part of the SSL/TLS trust model. Seated at the top of the proverbial tree, Root certificates are used to sign and issue intermediates and end user SSL certificates. In this case, the root was attached to one of Cisco’s VPNs, meaning every certificate it issued to end users could have potentially become invalid, too. Fortunately, that doesn’t appear to have happened, users were just blocked from generating new end points.
The issue was resolved in APEC-EM Release 1.6.3.
Niantic seems to be having a bit of a resurgence with Pokemon Go, but back in January of 2018 the game was running into game-breaking bugs and a litany of other problems—one of which was the expiration of one its SSL certificates. The outage was short, lasting just about half an hour, but it was more egg on Niantic’s face at the time.
It’s good to see their fortunes seem to be turning around.
The Tories, as they’re known in the UK, don’t have a great reputation when it comes to encryption, in general. Former home secretary Amber Rudd and Prime Minister Theresa May have both publicly criticized encryption despite clearly not understanding very much about it.
So it was ironic, then, on January 8, 2018 when the Tories’ website went down following the expiration of its SSL certificate.
At the beginning of December 2017, LinkedIn allowed one of its SSL certificates to expire. It knocked out LinkedIn sites in the US, UK and Canada. As the VP of Venafi, Kevin Bocek said at the time:
“LinkedIn’s blunder demonstrates why keeping in control of certificates is so important. While LinkedIn will have thousands of certificates to keep track of, outages like yesterday’s show that it only takes one expiry to cause problems. To stay in control, organizations should look to automate the discovery, management and replacement of every single certificate on its network.”
LinkedIn quickly fixed the problem with a DigiCert Organization Validated SSL certificate.
In early 2017 Time Warner compounded the boneheaded oversight that let its email server’s SSL certificate expire by offering its customers some equally boneheaded advice on remedying the situation:
“…going into your email settings and disabling SSL will stop the pop-up message and re-enable the webmail fetch.”
This is terrible on so many levels. Let’s start with the fact that this is awful advice. Don’t ever disable SSL. Ever. Second, it’s incumbent upon the company that lets its SSL certificate expire to replace it in short order. It’s not the customers’ job to change their settings to compensate for that company’s negligence. Third, who the hell is still using Time Warner as an email service?
How to avoid letting your SSL certificate expire
Enterprise businesses have a different set of problems when it comes to certificate management. Whereas Small and Medium Sized Businesses (SMBs) may just have one, or a handful of certificates, Enterprise companies have sprawling networks, myriad connected devices and just a lot more surface to cover in general. At the enterprise level, allowing an SSL certificate to expire is usually the result of oversight, not incompetence.
We work with a lot of Enterprise companies on meeting these challenges. Here is some actionable advice on avoiding certificate expiry.
- Whatever CA or SSL service you got your SSL certificates from will send you expiration notifications at set intervals starting at 90 days out. Make sure that you set these reminders to be sent to a distribution list and not just a single individual. The Point-of-Contact you used when getting the certificate issued may not be there by the time it expires. Maybe they moved on, got promoted or just drank a little too much at the office Christmas party and got canned—whatever the case you need to make sure the notifications are reaching the right people.
- Identify the proper channels to escalate reminders as the expiry date approaches. For instance, at 90 days out you might just want to have the notification sent to your distribution list. At 60 days you have it sent to your list, and to your system admin. At 30 days you send it to both the list and the system admin, and now your IT Manager gets looped in.
- Find a good certificate management platform. One of the biggest challenges facing enterprise businesses is visibility. You can’t replace expiring certificates if you can’t see them. We try to stay vendor agnostic, but DigiCert, Comodo and Venafi all have tremendous platforms that can help enterprises see and manage digital certificates across their entire infrastructure. Also, make sure you log in regularly so you can stay apprised of when you have renewals coming up.
- Decide on what CA(s) you want to work with and then set up CAA records to restrict who can issue for your domains. This will help to eliminate the possibility of new rogue certificates being issued. The more you can consolidate your PKI into a single platform, the better off you’ll be.
- Speaking of rogue certificates, find a good scanning tool and then use it regularly to find and track rogue certificates.
So, that’s what happens when your SSL certificate expires
Forgetting to renew or replace an expiring SSL certificate can happen to anyone. But there are a lot of tools available to help minimize the risk that poses. The key, as we’ve discussed, is having visibility and good lines of communication so you can get out ahead of expiration.
Eventually, things will be automated to the point where we don’t even have to think about this, but we’re not quite there yet. So bear with us a little longer.