SSL Certificates are key to managing a secure business and site, so we look at how best to keep on top of SSL certificate expiry and the risks of letting this expiry slip.

If you are using AWS, you will be doing one of the following to manage your Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates:

  1. Purchasing a certificate from a Certification Authority (CA) and annually renew it yourself, or;
  2. Taking advantage of AWS Certificate Manager (ACM) to provision, manage, and deploy SSL/TLS certificates.

If you are using the former, you are in greater danger of missing the expiration date for your SSL certificates as this is a manual task. However, even when using ACM, there are still specific cases when your automatic certificate renewal might fall back to email renewal meaning you will need to make sure you do it manually anyway.

According to AWS there are two reasons that might cause this:

  1. ACM avoids renewing certificates that are not in use. To be considered in use, an ACM Certificate must be associated with an AWS service such as Elastic Load Balancing, CloudFront, etc.
  2. If an ACM Certificate is in use but cannot be publicly accessed by using the DNS name(s) in the certificate, ACM attempts to renew the certificate through email validation.

The main downside with both renewal solutions is that if it falls back into the hands of a human, there is always room for error.

The danger of using an expired SSL Certificate is that your website will be vulnerable to identity theft and man-in-the-middle attacks. As we all know, these are pretty much some of the worst attacks for any business to suffer through, from compromised data to the simple “Unsecured Page” warning to your customers affecting - in both cases, reputation and fines are at risk. It is therefore essential to prevent SSL Certificates from expiration at all costs and we need to find ways to reduce this risk.

Now the question is, what options we do have in order to prevent SSL Certificates from getting expired and the security of our website and the future of our business becoming endangered?

The first and the easiest solution would be to have an automatic renewal system, which ACM does pretty well. The only concerning thing, as touched on before, is when it fails to do this and reverts into notifying us via email. Now in many cases, this would be enough but what happens when the person who registered for the SSL Certificate does not work for the company anymore or is on a vacation with no interest to check their work emails regularly? Hurdle.

The second best option would be to make sure the right person is notified with plenty of time before expiration so the important actions are taken before it’s too late. Here is where CloudConformity can help.

Out-of-the-box rules specific to certificate expiration are included in our Security & Compliance Package, which, when configured, will send alerts to your specified communication channels.

For ACM Certificates, you will be notified three times before the certificate gets expired:

- (45 days before expiration) — Level of Severity (Medium)

- (30 days before expiration) — Level of Severity (High)

- (7 days before expiration) — Level of Severity (Very High)

Additionally regarding AWS IAM SSL/TLS certificates, there are three more rules in place to make sure you get notified in time:

- (45 days before expiration) — Level of Severity (Medium)

- (30 days before expiration) — Level of Severity (High)

- (7 days before expiration) — Level of Severity (Very High)

Also note that based on the severity level, you can set your account to get notified on different channels such as PagerDuty, SMS, Slack, Email, JIRA, etc. And you can always change the groups who get notified on those channels to minimise the risk of missing the deadline.