What's the common practice of when to update a soon expiring SSL certificate?

monitoring ssl ssl-certificate

Recently Windows Azure Storage SSL certificate expired and that causes a lot of problems. Now the certificate can be retrieved by any user and so everyone could have noticed that it was going to expire.

Now what's the typical timeframe of replacing a soon to expire certificate? Is is a month before expiration or a week before expiration or any other time?

In other words, suppose I'm validating a third party service certificate and see that it expires in N days. If I notice it one day in advance it may be too late - I'll need time to contact the service owner and they will need time for reissuing the certificate and replacing it. If I notice it one month in advance - it may be too early to raise alarm - maybe the service owner is about to replace the certificate a bit later.

What's the value of N such that if the SSL certificate is about to expire in N days it's likely that the service owner has forgot about its expiration? What's the common practice of when to update a soon to expire SSL certificate?


Comodo starts alerting at 60 days, http://www.instantssl.com/ssl-certificate-support/server_faq/ssl-certificate-renewals.html

GoDaddy recommends 60, http://support.godaddy.com/help/article/864/renewing-your-ssl-certificate

Entrust recommends 30, http://www.entrust.net/ssl-technical/renew_faq.cfm

Others don't seem to have a start recommendation easily found

Universally it seems to be documented that to renew before the 15 day mark.


I'm afraid the most common practice is "scrambling to replace it when it's already expired"...

But in addition to the very useful info listed by Kormoc, I'd strongly advise you to use a vendor who will send alerts - and make sure that those alerts to go a mailbox that someone will actually watch. If you set it to a personal address within the company, you risk that person being on vacation or sick or even having left the company. Instead, make sure you have an address that is either a group mailbox or a mailinglist that expands to several people.

If you've got any kind of monitoring system, you can also set a cron job to run e.g. once a week that reports the number of days to expiry, and start alerting you when the number of days drops below a certain value.

Related

Create a block device in RAM
Why does `crontab -` remove crontab, and can it be cancelled?
Lets Encrypt OpenVPN AS
Scale-Out File Server with Storage Spaces Direct
Can I create a CAA record for all sub-domains
Slicehost Alternatives [closed]
Linux or Windows 2003 (64 bit) for hosting an Oracle database?
Ignoring .svn directories under IIS
Where to purchase a server capable of 512GB of RAM? [closed]
Why must a linux server be rebooted to properly handle a change in resolv.conf?
Webmin and/or port 10000 not working
Logrotate creates long names and does not delete logs