SSL.com

SSL Certificate Expiration Guide

Why do SSL Certificates Expire?

Think of an SSL certificate as a passport for your website, verifying its identity and ensuring secure connections. Just as passports require renewal to ensure they haven’t been tampered with or that the holder’s details haven’t changed, SSL certificates need regular updates for similar reasons. All SSL/TLS certificates issued by SSL.com currently have a validity period of 397 days. This stringent validity period, adopted by major browsers, reflects a proactive approach to several evolving cybersecurity challenges.
 

When did SSL.com Start Issuing 397-day SSL Certificates?

Starting in August 2020, SSL.com limited the lifespan of SSL/TLS certificates to a maximum of 397 days. This was partly prompted by Apple’s decision not to trust SSL certificates with a validity period greater than 398 days on its Safari browser and iOS/iPadOS/watchOS/tvOS devices. 

How do Certificates in Multi-year Orders Expire? 

SSL certificate orders that are two years or more in duration will still follow the 397-day validity rule. This means that every year, customers with multiyear orders will have to request for a new issuance of their certificate which they will download and install in their server to replace the expired one. However, discounts for multi-year certificates have been retained. Customers can contact support@ssl.com if they need further assistance.

What are the Security Benefits of Promptly Renewing Expiring SSL Certificates? 

By setting a maximum validity of just over a year, we’re taking proactive steps to safeguard against potential vulnerabilities. In simple terms, shorter certificate lifespans make it tougher for bad actors to exploit outdated security technology. Cyber threats are constantly evolving, and what was considered secure today might not be tomorrow. Regularly renewing certificates ensures your site uses the most current security protocols, making your business and your customers safer. This limitation reduces the window of opportunity for attackers to exploit potentially compromised certificates. A shorter certificate lifespan necessitates more frequent renewal processes, thereby ensuring that the cryptographic standards of the certificates remain robust against the continually advancing capabilities of adversaries.  This frequent renewal cycle compels organizations to adopt automated certificate management processes.  Automated certificate management processes  not only minimize human error but also encourage the adoption of the latest security practices and algorithms, enhancing the overall security infrastructure. In line with this, SSL.com offers the popular ACME protocol to all customers for SSL/TLS certificate automation. Automated Certificate Management Environment (ACME) is a standard protocol for automating domain validation, installation, and management of X.509 certificates. For more information on SSL.com’s implementation of ACME, please refer to this article: SSL.com Supports the ACME Protocol for SSL/TLS Certificate Automation. Moreover, the reduced validity period addresses the rapid pace of technological evolution and the corresponding shifts in security standards. It ensures that certificates adhere to current cryptographic standards, algorithms, and practices, which are essential for maintaining the integrity and confidentiality of communications. By compelling entities to regularly update their certificates, it guarantees that older, potentially vulnerable cryptographic methods are phased out more swiftly, thereby mitigating the risks associated with legacy encryption technologies.

How does SSL.com send Expiration Reminders for SSL Certificates? 

SSL certificates are inherently time-limited, necessitating vigilant management to avoid lapses in coverage. Recognizing this, SSL.com proactively dispatches email alerts as your certificate nears its expiry date, enhancing your security posture by preventing unintended service interruptions or vulnerabilities. You have the flexibility to customize up to five reminders, which are triggered and sent out based on the number of days before the certificate expires you’ve specified. For example, if you choose a 30-day reminder, you’ll receive an email notification exactly 30 days before your SSL certificate is set to expire.  Initially, these reminder emails are directed to both the administrative and technical contacts designated during the certificate purchase. You’re given the option to update these email addresses or adjust which contacts receive the notifications. You can modify these notification settings directly within your SSL.com account, providing you with a comprehensive control over how and when you receive these critical reminders.  The following are instructions on how you can modify the expiration notification settings for your certificate:
  1. On your SSL.com account, click Monitoring on the top menu to display your list of certificates that can be configured for expiration reminders. On the Friendly Name column, click the link indicating ng (notification group) followed by the reference number of your certificate (e.g. co-ab123456c).

  2. On the Notify These Contacts section, place the email addresses of the persons you want to receive expiration reminders for your certificate.

    On the Expiration Reminders section, you can customize the schedule when the reminders will be emailed to you. You can choose to schedule reminders before, upon, and after the expiration of your certificate.

    On the Scan section, you have the option to exclude your certificate from SSL.com’s Health Check Monitoring (HCM) service by checking the Disabled ? box. 

    Click the Save button once all options are finalized. 

    Note: Customers are encouraged not to disable the HCM service because it provides a lot of security benefits for your domain. Please refer to the next section for more information about HCM.


What is SSL.com’s SSL/TLS Health Check Monitoring (HCM)?

SSL.com’s Health Check Monitoring (HCM) service complements the SSL certificate expiration reminders by providing a more comprehensive and proactive approach to managing SSL/TLS certificates and overall website security. By subscribing to SSL.com’s Health Check Monitoring (HCM) service, customers gain several significant additional security benefits beyond just receiving free expiration reminders for their SSL/TLS certificates.  Our SSL/TLS Health Check Monitoring (HCM) service is designed to provide real-time, detailed insights into your website’s SSL/TLS certificate configuration. This service meticulously analyzes your domain’s certificate to evaluate its security effectiveness and the precision of its installation. It identifies the compatibility with various ciphers and algorithms, as well as compliance with trusted repositories including Google Chrome, Microsoft Edge, Mozilla Firefox, Apple Safari, and Java.  In addition, the HCM service keeps account managers proactively informed about the expiration dates of certificates, allowing for timely renewals. Moreover, in scenarios where critical alterations occur, such as site unavailability due to an expired or revoked certificate, account managers are immediately alerted. Customers can also utilize our intuitive interface to effortlessly schedule regular website scans. These scans can be customized to occur at specific time intervals, even down to the minute, or can be set for particular days or dates. This flexibility ensures continuous monitoring and maintenance of your website’s SSL/TLS health. In summary, while SSL.com’s expiration reminders are a useful tool for maintaining the validity of SSL/TLS certificates, the Health Check Monitoring service provides a deeper level of security management. It ensures that certificates are not only up-to-date but also properly installed and configured for maximum security and compliance, offering a holistic approach to digital certificate management and website security.

The image below shows an example of a Health Check Monitoring email that SSL.com sends to customers.


For more information about SSL/TLS Health Check Monitoring, check out our dedicated page.
Exit mobile version