What Happens When Your SSL Certificate Expires - Webnames Blog

What Happens When Your SSL Certificate Expires

SSL Certificate Expiry

We dive into the dangers of an SSL certificate expiring, how it happens and how you can prevent it.

In today’s subscription-based world, there are always services rolling over into renewal or getting forgotten about. It’s fairly commonplace. Usually, if something is not renewed, it is not catastrophic. Worst case scenario, you forget to renew your car registration tags and you get a ticket. But when it comes to SSL/TLS certificates, a missed renewal and an expired certificate could lead to some pretty serious consequences. And having an SSL certificate expire under someone’s watch (or lack of watch) happens more frequently than you think.

SSL Certificate Expiration Stats

As mentioned, SSL certificates expiring is not an uncommon problem. Many companies run across this issue. The 2021 State of Machine Identity Management report from the Ponemon Institute has some excellent data on this. This report surveyed well over 1,000 respondents in IT, information security, infrastructure, development, and other similar fields.

Their data found that “88% of organizations reported experiencing at least one unplanned outage due to expired certificates in the past 24 months. Another 41% report experiencing four or more outages. According to respondents, the likelihood of these unplanned outages occurring in the next 24 months is 40%, up from just 25% in the 2020 study.”

Like we said, this is not an uncommon occurrence.

How SSL Certificates Expire

You might be thinking, “how does an SSL certificate expire?” Well, there are a few reasons this could happen. For one, SSL certificates require authentication of your domain or organization (or both) with your CA prior to issuance. They also require re-validation with your CA to ensure the SSL certificate is issued to the correct party after a period of time. Your business or website could be sold and now a whole new entity is in control of these authenticated SSL certificates. It’s important for the CAs to have the correct information.

Furthermore, SSL certificate validity periods have shrunk more and more over time. From 5 years to 3 to 2 and now, an SSL certificate can not be issued longer than 1 year (398 days). So, an SSL certificate can easily expire if not properly managed or tracked.

So, how does someone let a certificate pass this expiration date?

Every answer to this question generally falls under the certificate management umbrella. Here are some possible reasons:

Trouble shooting offline website | SSL expiry

Lack Of or Limited Visibility

You can’t renew an SSL certificate if you don’t know it’s there. You need a process or system that can keep visibility over all of your SSL certificates. If you lose track or can’t easily see your entire body of SSL certificates, you could let one slip by and not get renewed. Now you have an expired SSL certificate and all the risks associated with that.

Manual Processes

If you are manually tracking your SSL certificates, there is always room for human error. Unfortunately, entertprise SSL lifecycle auomation doesnt make sense for businesses with a handful of SSL’s. In this case, setting up monthly or quarterly alerts to review your SSL settings, protocols and renewals status is important to do. For enterprises with larger SSL/TLS portfolio, automation services can can be extremely worthwhile, taking care of the renewal process from CSR generation through to installation.

The Risks of an SSL Certificate Expiring

When it comes to an SSL certificate expiring, there are many risks associated with this happening. There are also many examples of this happening as well. Microsoft Teams infamously went down in February 2020. The outage was embarrassing as Microsoft had just launched a large scale TV marketing campaign for the office hub software service. They “determined that an authentication certificate has expired causing users to have issues using the service.”

Another unfortunate incident of an SSL certificate expiring with a major company was when Epic Games (the maker of Fortnite, among other games) suffered a substantial outage due to an expired certificate. Interestingly enough, Epic Games copped to the “embarrassing” incident, citing “we felt it was important to share our story here in hopes that others can also take our learnings and improve their systems.”

While these examples shed light on “embarrassing” situations, embarrassing is the least of your worries when it comes to an SSL certificate expiring. Here are some of the dangers you can face when an SSL certificate expires…

Outages Are Not Good for Business

If a customer can’t interact with your product or service, then there is a good chance you are missing out on some type of awareness or revenue generating opportunity. Also, if your customers or clients are missing out on your service due to this outage, then who knows how this will affect your long-term relationship with them or what type of reimbursement they could be looking for. An outage can do significant damage to your reputation as well – causing you to lose trust with partners and customers alike. Remember this, dependability is often your best ability.

In addition to the issues outlined above, an expired SSL certificate can also cause you to face fines from regulatory bodies. You don’t want to face an audit not knowing if your certificates have expired or not. It bears repeating, an outage is just plain not good for business.

An Expired Certificate Can Lead to a Data Breach

Your SSL certificate expiring on you won’t just cost you in terms of revenue and relationships, your cybersecurity could also be at risk. The infamous Equifax data breach was caused by an expired certificate. The expired certificate disabled a monitoring system, which led to data being harvested for 76 days. The costs of this attack has surpassed $1 billion.

An expired SSL certificate can lead to something called a man-in-the-middle attack. Without the SSL certificate’s encryption, a hacker can wedge themselves between a browser and web server. With the line of communication between the two being insecure, it allows the hacker to impersonate one of the endpoints and intercept data while in transit.

In addition to a man-in-the-middle attack, an expired SSL certificate can lead to session/cookie hijacking attacks as well. When a user logs in to a web application, the server sets a short-term session cookie in the user’s browser. This allows for the user to be remembered and stay logged in. However, if a hacker knows the user’s session ID, they can perform a session (or cookie) hijacking attack. This essentially consists of the hacker using the user’s session ID (which they stole), to trick the server into thinking the hacker is the user. Once the hacker has performed this attack, they are now basically authenticated to do anything the user would be authenticated to do.

So, the question you may have is “how did the hacker steal the session ID in the first place?” Well, there could be a few reasons for that, including an expired SSL certificate. The expired certificate could leave users susceptible to their session ID being stolen and their session ultimately being hijacked.

How to Prevent an SSL Certificate from Expiring

With all this talk about how disruptive and damaging an SSL certificate expiring can be for your organization, I’m sure you are wondering how to prevent it. Tools like Webnames Advanced SSL Management Kit can be a big help – with SSL tagging to keep certificates organized according to business unit, server, or designated IT manager, and a cloning feature to streamline reissuing the same certificate on new servers, the potential for errors significantly lowers.

SSL Certificate Cloning – Advanced SSL Management Toolkit

For large organizations with 50 or more SSL/TLS certificates in play, certificate management platforms that automate the process of managing your certificates with more visibility and increasing the ease of use are an excellent option.

If you’re managingan SSL portfolio and want to explore either of these options, reach out to our team to discuss your needs or request a demo.

Posted in:

General