In this article, we’ll explore what happens when an SSL certificate expires, the implications for your website, how to check the expiration date, and suggestions for how to simplify your certificate management so that you never need to worry about being caught out with an expired certificate.
Why Do SSL Certificates Expire?
SSL certificates typically expire after 1-2 years, with the exact lifecycle depending on the certificate type and what level you decide to purchase.
You might think that this relatively short lifespan is designed just to get you to buy new certificates more frequently. However, there are some good reasons why certificates need to be frequently renewed:
- Staying up to date: Cryptographic standards that underpin SSL certificates are always evolving in response to new security threats. By requiring websites to renew every year or two, it’s easier to ensure that everyone has up-to-date security.
- Verifying domain ownership: Depending on the certificate type, you need to confirm the details of your domain or business entity when you renew. This helps prevent unauthorised entities from maintaining a certificate indefinitely.
For example, using an extended validation (EV) SSL certificate requires you to verify various details to prove you are a legitimate business. If you closed your business and sold the domain, the Certificate Authority would not want the new owner to maintain the same certificate when it no longer reflects a real, functioning business (potentially misleading users into sharing sensitive information). - Promoting best practices: Shorter lifespans on certificates help motivate organisations to stay on top of their digital security and maintain compliance with industry standards.
What Happens When an SSL Certificate Expires?
When an SSL certificate expires, the first thing that happens is that the issuing CA (Certificate Authority) marks it as expired. This is not the same as certificate revocation, which occurs for other reasons, but the consequences for your site will be the same.
When the CA marks the certificate as expired, it will automatically no longer be trusted by web browsers like Google Chrome, Microsoft Edge, etc. While your web server will still continue to serve the site over HTTPs using the expired certificate, it may as well say HTTP since browsers and security tools will still flag your site as unsecure.
“But the certificate is still installed, so won’t it still encrypt data?”
While it’s true that certificate expiry does not disable the mechanism of encryption itself, it’s impossible to establish an encrypted connection with an expired certificate.
Why?
When someone visits your website, their browser will initiate the SSL/TLS handshake, which is the first step in establishing a secure connection. When a browser sees that your certificate is expired, it will reject the handshake, and the connection won’t be established.
So, while an expired certificate won’t disable HTTPs, the connection will still be rendered untrusted.
What are the Consequences of an Expired SSL Certificate?
If your certificate expires and you fail to renew it, the following things will happen:
Browsers Block User Access with Security Warnings
As discussed earlier, browsers will be unable to establish a secure connection with your website. When this happens, users won’t be able to connect and will instead be served a full-page security warning alerting them why they have been prevented from visiting the site, with a message like “Your connection is not private” or “Warning: Potential Security Risk Ahead”.
Most browsers will still give users an option to bypass the warning and access the site, but the vast majority won’t use this option and will just leave immediately. Even if they do bypass the warning, their connection won’t be encrypted, exposing them to potential man-in-the-middle (MITM) attacks.
Needless to say, users encountering this warning will immediately distrust your website and will likely never return. If you run a business, you’ll lose potential customers and suffer reputational damage that will be hard to recover from. If anyone does bypass the warning and falls victim to an attack, they may hold you legally responsible for failing to maintain a secure website (even if they do assume some risk by bypassing the warning).
Security Risks & Vulnerabilities
Beyond alienating users and damaging your reputation, operating an expired SSL certificate exposes your website and users to a range of security risks and vulnerabilities, such as:
- Man-in-the-Middle (MITM) attacks: When your website is no longer encrypting traffic, attackers can intercept data during transmission. By positioning themselves between your server and the user, attackers can steal information like login credentials and credit card information, leading to unauthorised access and identity theft.
- Phishing and Impersonation: An expired SSL certificate can create an opportunity for attackers to create a fake phishing website that impersonates your website. They do this by setting up a clone of your website that, ironically, has a valid SSL certificate. Users may trust this over your website and share information with them.
- Session Hijacking and Cookie Theft: If you have cookies on your website that maintain user logins, attackers can use session hijacking techniques to impersonate real users and access their accounts.
These are just a few of the ways that attackers can exploit your expired SSL status. It’s best not to leave anything to chance and ensure you always maintain a valid SSL certificate.
Damage to Your SEO Performance
One of the key reasons to get an SSL certificate is the fact that enabling HTTPs supports your website’s search engine optimisation (SEO). This is because Google and other search engines only want to promote secure websites to users.
So, when you have an expired certificate, you lose this benefit, and your search engine rankings will decline. If your business depends on being discoverable through organic search on platforms like Google, failing to maintain a valid SSL certificate can be disastrous.
How Long After Expiration Does a Certificate Stop Working?
Immediately. Unlike domain renewals, there’s no grace period when it comes to SSL certificates. Once it’s expired, it’s expired.
This is why it’s absolutely essential to ensure you are monitoring when your certificate expires so you can renew or replace it in time.
How to Check SSL Certificate Expiration Dates
While the consequences of an expired certificate can seem scary, avoiding this situation is easy enough if you pay attention.
Let’s go over some of the options you have to check when your certificate expires:
- Manually checking with your web browser: Visit your website and click the padlock icon in the address bar. From there, you can navigate to a panel that displays the details of the currently installed certificate, which will reveal when the certificate was issued and when it will expire, down to the exact second.
- Using an online SSL certificate checker: Alternatively, you can also use a tool, such as our Free SSL/TLS Checker, to confirm your certificate details and find out when it expires.
- Using an automated SSL monitoring tool: If you don’t want to worry about manually checking your certificate details, you can use an automated monitoring tool to ensure you never run the risk of forgetting to renew your certificate. Check out our SSL/TLS Certificate Automation Solution, which automates the entire certificate lifecycle for you, including automated issuance, installation and renewal of all your SSL/TLS certificates.
Conclusion: Avoiding the Pitfalls of SSL Certificate Expiry
SSL certificate expiration is not just an inconvenience. If ignored, you will inevitably fall victim to security vulnerabilities and lose the trust of users and search engines alike, which can be incredibly difficult to recover.
By proactively monitoring expiration dates (or by taking the convenient route and setting up automated renewal processes), you can easily avoid the risks associated with expired SSL/TLS certificates.