Let’s understand first – what happens when a Website or Server is secured with an “HTTPS” connection using an SSL/TLS Certificate? It does 2 things – Server authentication and Traffic Encryption.
When a user connects to the Website or Server using a browser a handshake happens. The certificate on the server shares its Public key the Certificate and tells the user some basic details like Common Name, Organization Name, Location, Country, Start Date, and Expiry date. This is called Authentication where the Server identifies itself to the user.
In turn, the user’s PC uses this Public key of the Server certificate to encrypt the data it shares with the server. When this data reaches the Server data is decrypted using the Private key of the certificate. Thus data transferred from the user is encrypted and only the Server can decrypt and read it correctly. If anyone snoops on the network traffic he sees only encrypted data and can’t make any sense.
Now let’s understand what happens when SSL/TLS Certificate is not renewed. When a user connects to the server – during the authentication process – the browser checks whether the certificate is valid or not. In case the current date is beyond the expiry date then the browser immediately displays any one of the following error messages:
“Your connection is not private” or “This site is not secure” or “Warning: Potential Security Risk Ahead”
And all this means that the user is warned of the security risk. In most cases, the user decides not to go ahead unless the user knows why he is doing so.
In the past, there have been cases where websites of high-profile companies didn’t renew the SSL/TLS Certificates on time, which lead to significant user dissatisfaction and perhaps loss of business.
How to avoid Certificate Expiry?
Nowadays SSL/TLS Certificate issued by a public Certifying Authorities is of 1-year duration. Of course, non-public Certifying Authorities can issue certificates of a longer duration.
Usually Certifying Authorities or Certificate Provider issues renewal notice in advance (usually 45/30 days) by Email to the contact person who is responsible for the certificate renewal. He is expected to place the renewal order on the supplier well in time before the certificate expires. When the certificate is renewed the new certificate starts from the date of issuance and adds un-expired days to the expiry date.
Nowadays some public Certifying Authorities are allowing customers to place orders for multiple years by doing advance booking of renewals. In this case, the certificate is issued for 1 year only as per CA/Browser Forum’s guideline but it’s renewed every year without the need to go through commercial order every year. By doing this customer gets assurance that the certificate will not expire for a certain number of years.