A certificate expires and systems go down. The first thing you want to know is how to fix it—fast. And the next thing is how can you prevent this from happening in the future.
Expired certificates can manifest themselves in different ways. It depends on where the expired certificate is installed. If it’s on your main website (or load balancer), it will be obvious since no one will be able to securely view your website. You’ll likely get an onslaught of emails and complaints almost immediately. Sometimes though, system downtime is unexplained at first. If the certificate is internal to your application, systems may simply stop working but there’s no obvious cause that jumps out at you. You may spend hours looking for the root cause, only to find an expired SSL/TLS certificate.
How to fix an expired certificate
In all cases, the outcome of a certificate-related outage will be a negative one—for you and for your business. If you’re responsible for certificates, you may get reprimanded or spend hours investigating and fixing the problem. The adrenaline will be pumping through your veins as minutes tick on during the certificate-related outage. You’ll refer to documents and websites on how to install a certificate, teach yourself how to generate a certificate signing request (CSR), and find a certificate authority to request a new certificate. The minute you install the certificate and systems start working again, you may tell yourself that you need to burn off some steam. Maybe go for a run? Have a drink of your choice? Not so fast.
You’ll likely be invited to a postmortem meeting to discuss the reasons why the certificate expired without anyone knowing. Long, painful discussions will ensue—finger-pointing may happen, or if you are lucky, everyone will share the blame. In reality, the one thing that everyone is likely to agree on is that using spreadsheets and calendar invites are no longer a suitable option for tracking certificates.
After all the stress, you’ll close your computer for the day (or late evening). And sigh. You’ll feel some relief knowing you resolved the issue, but deep down you know that the war against expired certificates is still raging. It’s like an invisible enemy. Lurking. Waiting for the perfect opportunity to say, “Hello again, I’m expired!!” What will you when you are clearly outnumbered?
That evening your thoughts will race. You’ll realize that if you don’t have a machine identity management in place to keep track of all those certificates, this could happen again. Will you still have a job the next time around?
How to avoid expired certificates in the future
You may start by googling things like, “certificate management solution” or “machine identity management solution” or “fix expired certificate solution.” All this Googling will be helpful in educating you on possible PKI solutions; but as someone who wants to fix this “once and for all,” you’ll want to put in place a solution right away. This week. ASAP. You’ll want to show progress and be able to report back to management on the state of all your SSL/TLS certificates.
If you are lucky enough, you’ll hit the Venafi website and discover Venafi as a Service. You’ll sign up because it seems like an easy way to address your PKI pain points and it’s just a form fill away. You sign up. Swoosh, you’re in!
You’re amazed by your first login experience. Upon logging in, you see the certificate you just spent the day replacing—never to be overlooked again. Better than you thought possible. You may even start to feel like one of the beloved users who said, “I just loved it. It is amazing. Best in my lifetime. I logged in with my email address and it had all my certificates.”
After reviewing all the certificates that were automatically discovered for your domain, you’ll be hungry for more. Rather than discover every certificate in your network, you see that the tool offers a smarter way to find and organize your certificates. It allows you to create a subgroup for a given application and then find the related certificates. Smart idea. That will make it easy to know what certificates you are in charge of without sifting through hundreds or thousands of others. You dive in.
Where you’ll start seeing immediate results
You create an application called, “Retail” which represents your e-commerce application. Your Retail application is a 3-tier application. You know that it uses certificates that are externally visible on the load balancer. It also uses internal certificates on the application server and database server. You type the info needed to discover your application’s certificates:
- For external certificates (publicly trusted by every browser), you type in a fully qualified domain name (FQDN) and/or several IP addresses
- For internal certificates, you enter Ports and an IP Address, download a lightweight executable and run it (no install required)
Within seconds, you start to see your certificate results populating before your eyes. It’s magical. The results are so comprehensive that you see some certificates you didn’t even know about—some are expiring in less than two weeks. Another close call avoided.
You are floored. That was so easy. Effortless even. Why didn’t you do this earlier?
You set yourself as the application owner and set up your alerts so that you can be alerted before any of the certificates you’re responsible for will expire. You invite your colleague (who’s your back up when you are on PTO) to ensure she is also alerted of expiring certificates. You look at your watch. It’s been 10 minutes since you created your account. You already know you’ve hit the jackpot solution—you’ll continue tomorrow and invite more colleagues including information security and other application owners.
You close your laptop for the second time that day. This time, you feel happy and content. You have a solution. You know that you’ll impress your manager tomorrow when you show them the tool. You sleep well that night.
To follow a visual journey of the steps taken, take a look at the screenshots below. This story only scratches the surface of what Venafi as a Service can do for you.
Are you ready to start your journey to preventing certificate-based outages?