Let’s understand first – what happens when a Website or Server is secured with a “https” connection using a SSL/TLS Certificate? It does 2 things – Server authentication and Traffic Encryption.

When a user connects to the Website or Server using a browser a handshake happens. Certificate on the server shares its Public key of the Certificate and tells the user some basic details like Common Name, Organization Name, Location, Country, Start date and Expiry date. This is called Authentication where Server identifies itself to the user.

In turn, user’s PC uses this Public key of the Server certificate to encrypt the data it shares with the server. When this data reaches the Server data is decrypted using the Private key of the certificate. Thus data transferred from the user is encrypted and only the Server can decrypt and read it correctly. If anyone snoops on the network traffic he sees only encrypted data and can’t make any sense.

Now let’s understand what happens when SSL/TLS Certificate is not renewed. When a user connects to the server – during the authentication process – browser checks whether certificate is valid or not. In case current date is beyond the expiry date then browser immediately displays any one of the following error messages:

“Your connection is not private” or “This site is not secure” or “Warning: Potential Security Risk Ahead”

And all this means that the user is warned of the security risk. In most cases user decides not to go ahead unless user knows  why he is doing so.

In the past there have been cases where websites of high profile companies didn’t renew the SSL/TLS Certificates on time and lead to significant user dissatisfaction and perhaps loss of business.

How to avoid Certificate Expiry?

Now a days SSL/TLS Certificate issued by a public Certifying Authorities is of 1 year duration. Of course, non-public Certifying Authorities can issue certificate of longer duration.

Usually Certifying Authorities or Certificate Provider issues renewal notice in advance (usually 45/30 days) by Email to the contact person who is responsible for the certificate renewal. He is expected to place the renewal order on the supplier well in time before the certificate expires. When certificate is renewed the new certificate starts from the date of issuance and adds un-expired days to the expiry date.

Now a days some public Certifying Authorities are allowing customers to place order for multiple years by doing advance booking of renewals. In this case, certificate is issued for 1 year only as per CA/Browser Forum’s guideline but it’s renewed every year without the need to go through commercial order every year. By doing this customer gets assurance that certificate will not expire for a certain number of years.



What happens when a SSL/TLS Certificate is not renewed on time?
Tagged on:                             

Leave a Reply

Your email address will not be published. Required fields are marked *