The Importance—and Risk—of Certificate Expiration

This blog was contributed by Chris Hickman, CSO, Keyfactor.

Secure Sockets Layer (SSL) certificates are an important factor in securing web sites, applications, and machine-to-machine connections via web services. Each day, thousands of SSL certificates expire. However, in many cases these events go largely unnoticed as they are not related to web sites that have limited viewership or are web services incorporated into larger web platforms.


However, certificate expirations have led to numerous recent high-profile and lengthy outages, such as the ones affecting Epic Games, Microsoft Teams and Google Voice. These outages happen when certificate expiration goes unnoticed, and web site owners forget to renew the certificates in time. This is where the crux of the issue resides.

Most organizations have thousands upon thousands of SSL certificates. Nowadays, publicly issued certificates are only valid for 398 days, with some having even shorter lifespans of 90 days or less. When an SSL certificate needs to be renewed, it requires manual steps to renew the certificate and install it at the required endpoints. This makes the task of manually tracking where each of these certificates reside, who owns them, and when they expire, extremely difficult to do at scale. Furthermore, it is often different teams who are responsible for the renewal activity and the implementation of the renewed certificate.


With an ongoing stream of certificate expirations, renewing each certificate is an impossible, ongoing challenge for security and PKI teams. In fact, a recent Keyfactor report found that 88% of companies continue to experience unplanned outages due to expired certificates. In addition, the average organization experienced more than three certificate outages within the past two years, with 40% of those organizations reporting that they have a high likelihood of experiencing more outages.


As the number of certificates grows within an organization, the visibility into these assets becomes more limited. This becomes a huge issue if the organization manages their certificates through manual, error-prone processes, as it increases the risk that an expired certificate will slip through the cracks and cause costly outages. Industry surveys estimate that network downtime triggered by expired certificates costs organizations more than $300,000 per hour.


Certificate Lifecycle Automation to the Rescue

IT and security leaders tend to view certificate outages as an unexpected event, rather than a symptom of the larger underlying issue – ad hoc and manual certificate management processes. The key to managing certificates successfully is to embrace certificate lifecycle automation.


Beyond reducing time-consuming processes and human error, certificate lifecycle automation empowers organizations to actively monitor every certificate, enable automated renewals and deployment to workloads and endpoints, and limit the use of non-compliant, unknown, self-signed, and wildcard certificates that significantly increase risk and the impact of an outage.


While many certificate management solutions exist, the ideal platform should meet each of the following requirements:


Provide Full Visibility: The ultimate goal of certificate lifecycle automation is to prevent certificate outages and eliminate blind spots and stay in compliance with regulations and policies. A certificate management solution should integrate directly into public and private CA databases to issue, renew, revoke and inventory certificates in real time. This allows PKI and security teams to know where all of their organization’s certificates are, when they are set to expire, and which applications and owners the certificates are tied to. They can also identify rogue, non-compliant or weak certificates and respond quickly with revocation and replacement of those certificates.


Simplify Tracking and Reporting: An interactive dashboard serves as a single pane of glass view of an organization’s certificate infrastructure. The ability to view all certificates in one place allows teams to better organize and monitor certificates across all cloud and on-prem environments. Dashboards that provide capabilities to tag certifications with custom metadata make it easier to search and filter through an organization’s certificate inventory. With an organized inventory, teams can then drill down into certificate attributes, and monitor status for configuration, expiration, and compliance – and even create automated alerts and workflows to automatically renew certificates before they expire.


Enforce Policy Guardrails: The right certificate management solution should ensure every certificate can be trusted, is compliant, and is up-to-date, without disrupting user and infrastructure productivity. This includes providing organizations with the ability to define granular, role-based access and permissions, as well as set rules for certificate enrollment and approval processes. Organizations should also have an audit log of all user and certificate-related activities.


Many organizations today rely on a patchwork of tools or manual processes to manage digital certificates, making it that much easier for certificates to expire unnoticed. Embracing certificate lifecycle automation allows organizations to flip the script by taking a proactive – versus a historically reactive – approach to certificate management, ensuring that expired certificates do not turn into costly, lengthy outages.


About Chris Hickman

Chris Hickman is the chief security officer at Keyfactor. As a member of the senior management team, Chris is responsible for establishing & maintaining Keyfactor’s leadership position as a world-class, technical organization with deep security industry expertise. He leads client success initiatives and helps integrate the voice of the customer directly into Keyfactor’s platform and capability set.


###