SSL Certificate Expiration: The Complete Guide for DevOps Teams (2025)
TL;DR: SSL certificate expiration is one of those problems that shouldn't cause outages—yet it does, repeatedly, even at major companies. This guide covers everything you need to know about certificate expiration, why it happens, and how to prevent it from taking down your services.
By the Numbers:
- 81% of security leaders expect more outages as certificate lifespans shrink
- Only 8% of organizations fully automate certificate management
- By 2029, certificates will only be valid for 47 days
The Problem We've All Faced
If you've worked in DevOps or SRE, you've probably experienced this: a certificate expires unexpectedly, and suddenly your users see browser warnings or your services start failing health checks.
The frustrating part? This is entirely preventable.
Yet every year, we see headlines about major companies—Microsoft, Spotify, LinkedIn—experiencing outages caused by expired certificates. These aren't small teams without resources. They have dedicated infrastructure teams and monitoring in place.
So why does this keep happening?
Real-World Certificate Outages
Microsoft Teams (February 2020)
Microsoft Teams went down for nearly three hours after Microsoft forgot to renew a critical security certificate. Users were met with error messages attempting to sign into the service, with the app noting it had failed to establish an HTTPS connection.
Microsoft confirmed the service was down just after 9AM ET on February 3, 2020, revealing that "an authentication certificate has expired causing users to have issues using the service."
Source: Engadget - Microsoft Teams went down because of an expired certificate
LinkedIn (Multiple Incidents)
LinkedIn has faced certificate outages twice in 2 years due to SSL expiration. The first incident impacted millions as they were unable to log into their accounts. The second breach affected desktop users after LinkedIn's link shortener certificate expired.
Source: The SSL Store - LinkedIn suffers SSL/TLS certificate expiration. Again.
Spotify/Megaphone (2022)
Spotify's podcast platform Megaphone suffered a major outage as a result of a missed certificate renewal. This prevented podcast listeners from accessing their favorite shows for eight hours.
Source: Keyfactor - Spotify Certificate Outage Lessons Learned
These incidents confirm that it just takes one expired certificate to cause major outages—regardless of company size or resources.
Why Certificates Expire (And Why It's Easy to Forget)
SSL/TLS certificates have a built-in expiration date by design. This isn't a bug—it's a security feature.
The Security Reasoning
Certificate expiration forces periodic key rotation, which:
- Limits exposure if a private key is compromised
- Ensures algorithms stay current as cryptographic standards evolve
- Validates ongoing domain ownership through the renewal process
The Practical Problem
Modern infrastructure is complex. A typical organization might have:
- Production domains with different registrars
- Internal services with self-signed or private CA certificates
- Load balancers terminating TLS at different points
- Kubernetes ingresses managing their own certificates
- Third-party services requiring client certificates
Each of these has its own renewal process, timeline, and responsible team. Without centralized tracking, certificates get lost in the shuffle.
Certificate Validity Periods: What You Need to Know
The industry has progressively shortened maximum certificate validity:
| Timeline | Maximum Validity | Status |
|---|---|---|
| Before 2015 | 5 years | Historical |
| 2015-2018 | 3 years | Historical |
| 2018-2020 | 2 years | Historical |
| Sept 2020-Present | 398 days (~13 months) | Current |
| March 2026 | 200 days | Coming soon |
| March 2027 | 100 days | Coming soon |
| March 2029 | 47 days | Coming soon |
Sources: Apple announcement, CA/B Forum Ballot SC-081
The Push for Shorter Lifespans
In March 2023, Google announced in its "Moving Forward, Together" roadmap its intention to reduce maximum validity from 398 days to 90 days.
Source: ManageEngine - Google's 90-Day TLS/SSL Certificate Validity
Apple took it further in October 2024, proposing an even more aggressive timeline. On April 11, 2025, the CA/Browser Forum approved Ballot SC-081v3, establishing the phased reduction to 47-day certificates by 2029.
Source: DigiCert - TLS Certificate Lifetimes Will Officially Reduce to 47 Days
This means renewal is no longer a yearly task you can handle manually—it needs to be automated and monitored.
The Real Cost of Certificate Expiration
When a certificate expires, the impact depends on where it's used:
Public-Facing Services
- Users see "Your connection is not private" warnings
- Browsers block access entirely with HSTS enabled
- API clients fail with TLS handshake errors
- Mobile apps may crash or refuse to connect
Internal Services
- Service-to-service communication breaks
- Database connections fail
- Message queues stop processing
- CI/CD pipelines halt
Industry Statistics
When surveyed about Google's proposal to reduce certificate lifespans:
- 81% of security leaders believe shorter lifespans will amplify existing certificate management challenges
- 77% think more outages are "inevitable"
- Only 8% of organizations fully automate all aspects of TLS certificate management
Source: GlobalSign - From 90 Days to 47: SSL/TLS Certificate Lifespans and Automation
How Certificates Get Forgotten
In our experience building monitoring infrastructure, we've seen certificates slip through the cracks for several reasons:
1. Ownership Ambiguity
"Who renewed that cert last time?" is a question that comes up more often than it should. Certificates often outlast team members, and knowledge transfer doesn't always include renewal responsibilities.
2. Scattered Infrastructure
Certificates live in different places:
- Cloud provider certificate managers (AWS ACM, GCP, Azure Key Vault)
- Kubernetes secrets
- Load balancer configurations
- CDN edge configurations
- On-premise servers
Without a unified view, it's easy to miss one.
3. Over-Reliance on Automation
Let's Encrypt and cert-manager have made certificate management much easier. But "automated" doesn't mean "guaranteed." Automation can fail silently:
- DNS validation issues
- Rate limiting
- Webhook failures
- Misconfigured issuers
If you're not monitoring the automation, you won't know it failed until the certificate expires.
4. Long Validity Periods Create Complacency
A certificate that's valid for 13 months is easy to forget about. By the time it's close to expiring, the person who set it up may have moved to a different team or company.
What to Monitor Beyond Expiration
Expiration is the most obvious thing to track, but it's not the only thing that can go wrong with certificates:
Certificate Chain Validation
A certificate is only valid if the entire chain is valid—from your certificate through intermediates to a trusted root. Chain issues cause intermittent failures that are notoriously hard to debug. If you're experiencing chain problems, see our guide to fixing SSL certificate chain errors.
Revocation Status
Certificates can be revoked before they expire if the private key is compromised. Checking OCSP and CRL status ensures you catch revocations before they cause problems.
Weak Cryptography
Older certificates might use algorithms that are now considered weak:
- SHA-1 signatures (deprecated)
- RSA keys smaller than 2048 bits
- Outdated TLS versions
Hostname Mismatches
Certificate SANs (Subject Alternative Names) need to match your actual hostnames. Mismatches cause validation failures even with a valid, non-expired certificate.
Setting Up Effective Certificate Monitoring
The goal of monitoring is simple: know about certificate problems before your users do.
What to Alert On
| Condition | Alert Threshold | Priority |
|---|---|---|
| Expiring soon | 30 days | Warning |
| Expiring very soon | 7 days | Critical |
| Already expired | Immediate | Critical |
| Chain validation failed | Immediate | Critical |
| Certificate revoked | Immediate | Critical |
| Weak cryptography detected | On detection | Warning |
Alert Fatigue Considerations
Too many alerts leads to ignored alerts. Some practical tips:
- Stagger thresholds: Don't alert at 30, 29, 28 days. Alert once at 30, then escalate at 7.
- Route appropriately: Not every alert needs to page someone at 3 AM.
- Include actionable context: The alert should tell you which certificate, where it's used, and how to renew it.
Approaches to Certificate Monitoring
Option 1: DIY with Existing Tools
You can monitor certificates with tools you might already have:
Prometheus + Blackbox Exporter:
- job_name: 'ssl'
metrics_path: /probe
params:
module: [http_2xx]
static_configs:
- targets:
- https://example.com
relabel_configs:
- source_labels: [__address__]
target_label: __param_target
- target_label: __address__
replacement: blackbox-exporter:9115
This works, but requires maintaining the exporter, writing alert rules, and keeping the target list updated.
Custom Scripts:
#!/bin/bash
expiry=$(echo | openssl s_client -servername "$1" -connect "$1:443" 2>/dev/null | openssl x509 -noout -enddate | cut -d= -f2)
expiry_epoch=$(date -d "$expiry" +%s)
now_epoch=$(date +%s)
days_left=$(( (expiry_epoch - now_epoch) / 86400 ))
echo "$1: $days_left days remaining"
Simple, but doesn't scale well and doesn't handle chain validation or revocation checks.
Option 2: Dedicated Monitoring Tools
If you'd rather not manage another monitoring stack just to track certificates, tools like CertWatch handle this for you:
- Add your domains
- Configure where you want alerts (Slack, Email, PagerDuty, Webhooks)
- Get notified before certificates expire
This is the approach we took after setting up Blackbox Exporter and Prometheus one too many times across different projects.
Quick Certificate Check
Want to quickly check a certificate's status right now? You can use our free SSL Certificate Checker to see expiration date, chain validation, and security details for any domain.
Key Takeaways
- Certificate expiration is preventable but requires intentional monitoring
- Shorter validity periods mean renewal needs to be automated and monitored—47-day certificates are coming by 2029
- Monitor more than expiration—chain issues, revocation, and weak crypto matter too
- Centralize visibility across all your certificates, regardless of where they live
- Alert thoughtfully to avoid fatigue while ensuring nothing slips through
What's Your Experience?
We're building CertWatch based on problems we've encountered ourselves. If you have war stories about certificate expiration or features you wish existed in monitoring tools, we'd love to hear about it.
Join our Discord or drop a comment below.
Follow us for more:
Sources
- Engadget - Microsoft Teams went down because of an expired certificate
- The SSL Store - LinkedIn suffers SSL/TLS certificate expiration. Again.
- Keyfactor - Spotify Certificate Outage Lessons Learned
- Apple Support - About upcoming limits on trusted certificates
- DigiCert - TLS Certificate Lifetimes Will Officially Reduce to 47 Days
- ManageEngine - Google's 90-Day TLS/SSL Certificate Validity
- GlobalSign - From 90 Days to 47: SSL/TLS Certificate Lifespans and Automation
- Sectigo - The Risks & Impacts of SSL Certificate Outages
- Keyfactor - 2023's Biggest Certificate Outages
Never Let a Certificate Expire Again
Monitor your SSL certificates with CertWatch. Get alerts before they expire, validate certificate chains, and keep your services running smoothly.