GlobalSign Blog

SSL/TLS Certificate Expiry: Everything You Need to Know

SSL/TLS Certificate Expiry: Everything You Need to Know
Carla Mendoza

Google has made it clear that they want to shorten the validity of SSL/TLS certificates to 90 days. While this is not confirmed as going ahead - or when - it's a topic that excites such rabid discussion in the tech sphere and beyond, particularly regarding the potential impact of SSL certificate expiry. Many discussions are still ongoing about the feasibility and implications of this change.

What’s it to you? Basically, the time to automate SSL/TLS certificates is now – no longer a want, already a need. Be careful, you’re running out of time.

A Brief History of SSL/TLS What happens when your SSL expires? Changes in the SSL Space Best SSL Practices in APAC

A Brief History of SSL/TLS

Once upon a time, there was no standard for website security. In fact, there were no methods at all to protect the transmission of sensitive info online. There was simply nothing when the first SSL (Secure Sockets Layer) arrived in 1994 (and debuted in 1995), so imagine the reception to this huge leap in the infosec world.

Due to several upgrades, it’s been replaced with TLS (Transport Layer Security), complete with a name change to avoid potential legal issues. I see why people still call it the old name- it’s like being phenomenally popular as Mariah Carey, when your loyalists know​ to call you Mimi.

Let’s be honest, though, that SSL has not been updated since 1996- it is officially deprecated. At present, your organization must be using TLS, as SSL’s vulnerabilities (interception and tampering with encryption) pushed the world to do so. Sure, SSL is still in use today, but mostly in legacy systems.

a_brief_history_of_ssl_tls_globalsign

What was an SSL Certificate?

It was SSL that encrypted data traffic as a protocol created to protect the flow of communication between browser and servers. SSL protected data, usernames, passwords, bank details, and other confidential info. With SSL, you can prevent dubious stuff like tampering and eavesdropping.

On top of data encryption, it was SSL that helped build online credibility for organizations. It signaled that a customer was on a legitimate website that they could trust, where they could buy safely.

To maintain this security, it's crucial to renew SSL certificates before they expire. If an SSL certificate expired, your website’s security can be compromised, leading to potential data breaches and loss of user trust. By scheduling regular SSL certificate renewals, you can ensure continuous protection for your website and its visitors.

What is a TLS Certificate?

Around the time that the movie Fight Club was released in 1999, TLS rightfully improved upon SSL, and replaced it. The major difference? It is issued by a reliable third-party entity, kinda like a notary, but globally acclaimed online. This entity is called a Certificate Authority (CA).

A TLS certificate verifies a website's identity and enables secure encrypted communication. When a browser connects to a website, it verifies the certificate through a trusted Certificate Authority (CA). Once authenticated, a secure connection is established, protecting the communication from cyber threats.

SSL versus TLS

ssl-vs-tls

SSL/TLS Certificate Expiration

As established, both SSL and TLS are online cryptographic protocols that enable secure connections between clients and servers. Following the same purpose, they have key differences.

Key Differences Between SSL and TLS

While both protocols serve the same purpose, they have distinct differences:

  • Security: TLS is the successor to SSL and offers more advanced security features.

  • Versions: SSL has several versions (SSL 2.0, SSL 3.0, and TLS 1.0, 1.1, and 1.2), while TLS is the current standard.

  • Encryption Algorithms: TLS supports a wider range of encryption algorithms, providing greater flexibility and security.

As established, both SSL and TLS are online cryptographic protocols that enable secure connections between clients and servers. Following the same purpose, they have key differences. 

  SSL TLS
Development The first of its kind: Created by Netscape Communications Corporation (1994) Its clear purpose was to replace SSL: Developed by Internet Engineering Task Force (1999)
Authentication Authenticated only the server Incorporated far more powerful authentication methods into its design; Authenticated both server and client browser
Perfect Forward Secrecy (PFS) None If the private key gets compromised, PFS ensures that previous communications can remain safe. Each session creates a unique key that lasts only for that one session.
Algorithms Weak SSL 3.0 uses RSA and RC4 Strong TLS 1.2 uses ECDHE and AES
Deprecation Unsafe Officially deprecated Safe Globally acclaimed

My SSL certificate expired. What now?

Once your SSL certificate has reached its validity period, it can no longer be trusted to secure your connection, and an attacker may be able to intercept and view the information being transmitted between browser and server. Such an event gives out security warnings, which can make your website visitors leave. It can’t be overstated how essential it is to renew your SSL certificate before it expires.

How to check expiry date of SSL certificate?

Whether you are on Windows, Linux, or Mac OS, it is a lot more practical to check your SSL expiry date through your browser. Doing so means that you need not download a program to check it the hard way.

How to check SSL certificate expiration date on Google Chrome

check-ssl-expiry-chrome-globalsign
  1. Click the tune icon in the address bar for the website.
  2. Click on Connection is secure.
  3. Click on Certificate is valid.
check-ssl-expiry-chrome-globalsign-validity-period
  1. Under Validity Period, check “Expires On” to validate that the SSL certificate is current.
where_to_find_ssl_certificate_google_chrome_issuance_validity_period_sha_fingerprints_globalsign

How to check SSL expiration date on Microsoft Edge 

where_to_find_ssl_certificate_microsoft_edge_about_globalsign
  1. After clicking on the padlock icon, click on Connection is secure.
where_to_find_ssl_certificate_microsoft_edge_connection_secure_globalsign
  1. Click the Certificate Icon opposite Connection is secure.
where_to_find_ssl_certificate_microsoft_edge_certificate_details_globalsign
  1. Find the certificate.

How to check certificate expiry date on Firefox 

where_to_find_ssl_certificate_mozilla_firefox_url_bar_globalsign
  1. Click Connection secure.
where_to_find_ssl_certificate_mozilla_firefox_certificate_issuance_globalsign
  1. Click More information.
where_to_find_ssl_certificate_mozilla_firefox_view_certificate_globalsign
  1. Click View Certificate.
010 - where_to_find_ssl_certificate_mozilla_firefox_certificate_details_globalsign.jpg
  1. Find Validity.

SSL Certificate Expiry Vulnerability Impact

ssl-certificate-expired

It’s literally like having an expired passport: On top of having questionable authenticity, this means that you are not able to comply with the latest security standards, leading to all kinds of vulnerability down the line. An expired SSL certificate declares that you are a questionable passenger- a questionable website- sailing the seven seas of the internet. See, an SSL certificate declares that you are a trusted passenger- a trusted website- sailing the seven seas of the internet. Your website is legitimate. Your website is a cut above the rest. Customers can entrust their safety- their identity, their financial details- with you. See, the chosen icon for SSL is not just randomly a padlock.

SSL expiry can lead to outages likely to damage reputation, customer trust, and revenue. Several cases have been featured on the news: the actual event of forgetting to renew an SSL certificate has happened to a gargantuan cloud platform, a software company of similar influence, a major music streaming service that gives you free access to millions of songs, and more. Look it up.

What is the maximum validity period for my SSL certificate?

The era of long-lived SSL/TLS certificates is coming to an end. Google's initial reduction to 90 days was a major step but Apple's latest proposal to shorten the maximum validity period to 45 days by 2027 signals a dramatic shift in web security. This move, supported by the broader industry, will significantly impact certificate management practices and strengthen the overall security posture of the web.

How long do SSL certificates last? How long are certificates valid for?

SSL certificates, vital for securing online transactions, have a limited lifespan. To enhance security, the validity period for these certificates has been significantly reduced. Currently, SSL certificates cannot exceed 397 days, or approximately 13 months. This shorter duration allows for faster updates and replacements, mitigating potential security risks.

As the industry transitions to these tighter lifecycles, organizations must prioritize vigilant certificate management to minimize the risk of breaches. To adapt to shorter certificate lifespans and mitigate security risks, organizations can prioritize efficient certificate management by utilizing automation tools like Certificate Automation Manager (CAM).

Changes in the SSL Space

The duration of SSL validity used to be up to two years, but the infosec world keeps on working to protect connections by moving validity periods to shorter and shorter durations. This is in accordance with industry best practices that only serve to protect all. Fortunately, the practice means more frequent SSL certificate renewals, accounting for time zone differences and prevents CAs like GlobalSign from mis-issuing a certificate that exceeds the validity requirement. It was adjusted to a year, and extremely soon it’s going to be down to 47 days, requiring even more frequent SSL certificate renewals.

SSL Certificate Validity: When will it actually matter to you?

While the industry continues to move towards shorter certificate validity periods, the timeline for these changes has recently been adjusted. The new schedule, as agreed upon by the CA/Browser Forum, is as follows:

  • 398-day maximum validity: Until March 15, 2026

  • 200-day maximum validity: Starting March 15, 2026

  • 100-day maximum validity: Starting March 15, 2027

  • 47-day maximum validity: Starting March 15, 2028

While the 100-day limit in March 2027 is still on the horizon, these changes provide organizations with additional time to adapt to the new standards. However, it's crucial to start preparing now by implementing automated certificate management solutions to ensure seamless transitions and minimize disruptions.

Can You Use an Expired SSL/ TLS Certificate?

While using an expired SSL/TLS certificate is technically possible, it's highly discouraged due to severe security implications. Once a certificate expires, it becomes invalid, and websites using it will be flagged as insecure by browsers. This can lead to significant trust issues, deterring potential visitors and harming your online reputation.

Additionally, expired certificates can expose your website to various cyber threats, including man-in-the-middle attacks and data breaches. To ensure optimal security and user experience, it's crucial to renew SSL/TLS certificates before they expire and keep your website protected.

Best SSL Practices in APAC

Choose a Reliable CA

The best CAs go beyond the fact that they are one of the longest standing CAs in the world. The best CAs under-promise and over-deliver.

Do they say they’re supportive? For 24/7 tech support, they literally come to your country and build a vigorous local presence.

Do they say they’re acclaimed worldwide? They continuously build newer infrastructure to anticipate enormous success for your organization, which always comes with ever-changing demands.

They walk the talk. They go through ultracareful third-party audits to maintain their security position. They value their own reputation. They keep themselves beyond reproach, so they can lift you to that level, too.

Guess which CA does this? Click here.

Choose the Right SSL Certificate

SSL certificates have different levels of validation. You pick one to suit its purpose, whether it’s for a blogging site, an enterprise website, or an epic ecommerce site. As a tip, it’s best to avoid multi-server certificates to prevent duplication of private keys. Why is duplication a no-no? If one of the servers is compromised, all others protected by your SSL face the same security risks.

Compare GlobalSign’s Domain Validation (DV), Organization Validation (OV), and Extended Validation (EV) here.

Ensure Effective SSL Expiry Monitoring and Certificate Management

Your organization probably has a menagerie of SSL and other certificates, each with its own date of expiration. Certificate management is a burden, and you’re well-advised to automate. Once the 90-day validity pushes through, you will need to renew your certificates at least four (4) times every year.

GlobalSign has Automated Certificate Management Environment (ACME), which enables you to seamlessly monitor issuances, renewals, expirations, revocations, etc. at a glance. Originally created by the Internet Security Research Group (ISRG), ACME has a very real potential to shape the future of SSL/TLS Certificate Validity. We invite you to hop on the train and be ahead of the curve. 

For our use cases, click here.

Expired SSL/TLS certificates can wreak havoc and cause a costly, high security risk headache for your team. A certificate inventory tool such as GlobalSign’s Atlas Discovery lets you gain a comprehensive overview of your organization’s certificates. With certificate automation via ACME, you get to prevent outages and downtime, too.

There is nothing more reassuring than knowing your digital certificates are secured with the help of PKI experts and a trustworthy partner.

Don’t wait for this event to impact your site encryption.

Don’t wait for such time when you’re no longer protected.

Contact GlobalSign today.

site-seal-blurb

Share this Post

Related Blogs