Your site has been configured with a SSL/TLS certificate from a trusted authority, but you're receiving risk findings that say your SSL certificate expired or is expiring. How can that be and what does it mean for your organization's cybersecurity?
SSL/TLS certificates provide a critical security layer for your public web systems using the transport layer security (TLS) protocol (and its predecessor secure sockets layer or SSL). These digital certificates are used to establish an encrypted connection between servers so that site traffic is protected. The certificates also communicate to your hosting provider and end-user that your organization owns the domain that the user wants to access.
SSL/TLS certificates are time-limited and must be renewed to keep the SSL/TLS connection available for users. Keeping these certificates updated will help to protect your website security. An expired or misconfigured certificate will impede users from accessing your site and can expose user data to man-in-the-middle attacks where the malicious actor would receive unencrypted communications, like users' credentials and other sensitive information. Most web browsers will supply a warning message about unencrypted site access, and sometimes a user's browser will halt traffic to any sites with expired certificates so users may be unable to authenticate and access the website at all. If your site is not secure, your users are exposed to increased risk and may lose trust in your service.
Ensuring that your SSL/TLS certificates are up-to-date with a recurring renewal process is a crucial aspect for securing your external assets, preventing outages, and protecting against security risks.
How Does SSL/TLS Work?
Secure sockets layer (SSL) and transport layer security (TLS) are communications protocols for web traffic that use cryptographic processes to protect data being transferred. An encryption algorithm checks that the system sending information and the system receiving information have the necessary certificates for that data transfer, and that no one else can read the data being shared. This process is called a TLS handshake and uses asymmetric cryptography to exchange keys for authentication. The key exchange includes a shared cipher spec to communicate with encoded private keys.
SSL/TLS uses Hypertext Transfer Protocol Secure (HTTPS) to guarantee secure client connections. The SSL/TLS certificate is used during the TLS handshake for secure web browsing, which is one part of the public key infrastructure (PKI) that supports secure browsing. Domain name system (DNS) will route your user's browser to your system through the domain they supply in the browser's address bar.
You can review the SSL/TLS certification status of any website by clicking the padlock next to the URL for the website in your browser. If the information panel loads the "Connection is secure" pop-up, then the site has an active certificate. You can find additional details about any certificate by pressing the "Certificate is valid" option, which will load a certificate view panel with information about the issuer, requester, validity period, fingerprints, and certificate chain. You can also use an automated scanning tool to review certificate information.
Types of SSL/TLS Certificates
The type of certificate you select will depend on your organization's needs and how you need to process user data. The certificate authority will perform a domain control validation (DCV) to verify that the certificate requester has the appropriate domain ownership. As the website owner, you need to install and renew your SSL/TLS certificate regularly for all domains and subdomains you own. You provide this information to the certificate authority in a certificate signing request (CSR).
Certificate authorities provide certificates for different organizational needs, including the following:
- Single-domain certificates secure only one domain.
- Multi-domain certificates secure a top-level domain and multiple subdomains (using the Subject Alternative Names field in the CSR to supply subdomains).
- Wildcard certificates secure a top-level domain and any subdomains associated with it (using the *.your_domain.com notation method).
The level of validation may also range according to your business needs. Certificate authorities list verification criteria for each of the following certification methods in a certificate policy:
- Extended Validation certificates: EV certification includes an extensive vetting process that is conducted by a subset of certificate authorities and requires proof of the requester's legal identity.
- Organization Validated certificates: OV certification requires two criteria before certificate issuance. To receive an OV certificate, you need to supply proof of domain ownership and confirmation for a legally registered business.
- Domain Validated certificates: DV certification uses a single proof of control (such as DNS records or email verification) to confirm the requester owns the domain.
For a personal blog, a domain validated certificate for a single domain will probably suffice, whereas organizations that provide a variety of services are more likely to need an EV or OV certificate for multiple domains (whether through a multi-domain or wildcard certificate).
Common SSL Expiration Risks
While you definitely need to keep track of the certificate expiration date, you might also want to pay attention to upcoming expiration and valid expiry durations. Some certificates, such as those issued by Let's Encrypt, are set up with auto-renewal. By keeping track of upcoming certificate expirations, you can ensure that your certificates are reissued as needed or that your auto-renewal is working as expected.
In addition to the SSL expired finding, UpGuard scans for upcoming expirations and certificates misaligned to current practices for duration. We notify users with these risk findings for certificate expiry duration:
- SSL expires within 20 days
- SSL chain certificate expires within 20 days
- SSL expiration period longer than 398 days
Because SSL/TLS certificates ensure protection for your site users, you need to keep them up to date. Most certificate authorities allow you to start your renewal within 30 days of the expiration date. Identifying the upcoming expiration within that window of time empowers you to get your certificates renewed and configured appropriately across your services. This practice ensures that your users will not face any downtime or service failure while you renew your SSL/TLS certificates.
Most organizations have multiple SSL/TLS certificates in a certificate chain that provides validity and is used to authenticate at multiple levels. The certificate chain includes a root certificate that validates the issuer (your trusted certificate authority) and intermediate certificates to ensure the root keys are not compromised. Every certificate in the chain is signed by the next certificate in the chain, so a single certificate expiring will invalidate the entire chain. When a link in the certificate chain is about to expire, it will need to be renewed or reissued and updated within your system.
UpGuard communicates the certificate expiry risk findings with a 20 day window before expiration so that there is ample time for updates.
The maximum validity duration for SSL/TLS certificates was updated in September 2020. Shortening the duration of the certificate validity establishes an additional protection for authentication to protect against brute force attacks and other attempts to break encryption. The current practice for SSL/TLS validity duration is 398 days, though some certificate authorities will issue shorter durations. If your SSL/TLS certificate expiration period is more than 398 days, it may introduce complications with browser communication and users may be unable to access your site as a result. Certificates with shorter durations provide an opportunity to implement the latest encryption standards and protect against any known vulnerabilities identified in the certificate's encryption algorithm.
Now that you understand what SSL/TLS certificate expiration means for your organization, you can take steps to resolve the risk.
How to Renew SSL Certificates
Each certificate authority has a slightly different user experience but all certificate activations follow the same general process:
- Generate a certificate signing request with your choice of certificate authority and provide all the necessary details for the type of SSL/TLS certificate you need.
- Complete all the steps of the domain control validation process related to your choice of certificate. Renewing or reissuing a domain validated certificate will typically go faster than organization validation and extended validation certificates.
- Activate the certificate and keep track of your CSR and private key.
- Install the certificate on your servers, configuring any additional parameters as needed.
- Repeat the process for all certificates in your certificate chain.
- Take note of the certificate expiry date to ensure that you renew the certificate before it expires.
Maintaining awareness of your certificate lifecycle will help you avoid SSL expiration. The next section contains additional guidance for adding security certificate issuance to your regular lifecycle management review process, which might be handled by your security and procurement teams.
How to Resolve SSL Expiration Findings
Certificate management includes checking that all of your necessary systems are set up with SSL/TLS certificates. Set up an expiration tracking system to ensure that you renew SSL certificates before they expire. Current SSL expiry durations are limited to a maximum of 398 days and will not be valid if they are longer than 398 days.
Renewal for your certificate lifecycle should occur annually at least, if not more regularly. The 398 day certificate validity window accounts for one year plus an additional month to handle renewals. You might consider implementing a shorter validity duration and renewal period so that you can implement updated certificates on a recurring basis.
If your SSL/TLS certificate has expired (the SSL expired finding), you should immediately begin the renewal process with a trusted certificate authority. You may need to submit a new CSR as part of the renewal, since expired certificates must be replaced with valid certificates to ensure SSL/TLS functionality. Once your new SSL certificate has been configured for your system, your users will be able to continue accessing your site with confidence that the SSL/TLS protocol is functioning.
How UpGuard Can Help
UpGuard BreachSight provides continuous monitoring for your external attack surface, collecting threat signal data through non-intrusive scanning. We scan for common issues related to SSL/TLS certificates and notify users of risks, including the expiry dates for active certificates. These notifications appear in the BreachSight Risk Profile.
Current UpGuard users with the BreachSight feature can log in and access their Risk Profile to search for SSL expiration risks among their assets.
If you're not a current UpGuard user and you want to run an automated scan of your assets with BreachSight, sign up for a trial. BreachSight automation will help you stay updated with real-time insights to your external assets.
