← All posts

SSL certificates, why they expire, and what to do when they do

2026-04-15· NoDowntimeShield team· 4 min read

SSL certificates, why they expire, and what to do when they do

Somewhere in the next 90 days, your SSL certificate is going to expire. If it expires at 3 AM on a Sunday, you'll wake up to a wall of "your connection is not private" errors and a drop in revenue that you can measure in hours.

Here is what you need to know.

What an SSL certificate is

A short file issued by a certificate authority (like Let's Encrypt, DigiCert, or Sectigo) that lives on your web server. When a browser connects, the server sends the certificate, the browser verifies it, and the padlock appears.

Why they expire

Certificates expire for the same reason passwords rotate — to limit the blast radius if the private key ever leaks. The industry has been steadily shortening the maximum validity period: once it was three years, then one year, and from 2025 it is 398 days. In the near future it will be 90 days, and eventually 47 days. That means automated renewal is no longer optional.

What can go wrong

  • Expiry itself. Browsers refuse to connect, revenue drops to zero.
  • Chain problems. Your server sends a valid certificate but forgets to send the intermediate cert — some clients succeed, others fail. Very hard to diagnose.
  • SAN mismatch. Someone added api.yourcompany.com to DNS but the certificate only covers www.yourcompany.com. API requests start failing silently.
  • Weak ciphers. The certificate is valid but the server negotiates TLS 1.0. Compliance tools flag it.

What to do

  1. Monitor expiry across every hostname you own. A dashboard that shows "42 days until expiry" is worth $100/month of attention.
  2. Use automated renewal wherever the registrar supports it (cPanel, Plesk, Cloudflare, Let's Encrypt, AWS Certificate Manager all do).
  3. Check the full chain, not just the leaf certificate. Tools like openssl s_client -connect yourdomain.com:443 -showcerts give you the full picture.
  4. Alert at 30 days, 7 days, and 24 hours. If the first alert goes to spam, the next one should hit a different channel.

What we do

NoDowntimeShield monitors every hostname on every domain you add, alerts at 90/60/30/7/1 days, and hooks into Let's Encrypt to auto-renew where possible. Weak ciphers and chain problems are flagged as medium-severity findings with a one-paragraph fix.

SSL certificates, why they expire, and what to do when they do — NoDowntimeShield · NoDowntimeShield