Back to Learning Center
Monitoring

How to Prevent SSL Certificate Expiry: The Complete Checklist

5 min read
Updated May 2026

SSL certificate expiry is one of the most preventable causes of website downtime. Yet it still happens to organizations of every size — from startups to Fortune 500 companies. The reason is almost always the same: no systematic process for monitoring and renewing certificates. This checklist fixes that.

Why Certificates Still Expire (Despite Best Intentions)

Teams know certificates expire. The problem is execution: certificate ownership is unclear, alerts are set to only one channel that nobody checks, renewal reminders are calendar events that get dismissed, or auto-renewal fails silently on an expired credit card.

Certificate lifetimes are also shortening. The CA/Browser Forum has approved a move to 47-day maximum validity starting in 2026, and Apple plans to enforce 90-day limits in Safari. Shorter lifetimes mean more frequent renewals — increasing the risk of failure if processes are manual.

The Complete Prevention Checklist

Inventory & Discovery

List every domain and subdomain your organization owns
Identify certificates on all servers, load balancers, CDNs, and APIs
Document each certificate's issuer, expiry date, and renewal contact
Track wildcard certificates and which subdomains they cover
Include third-party services with custom domains (e.g., SaaS products on your domain)

Monitoring & Alerting

Set up automated checks every 24 hours for each domain
Configure alerts at 60, 30, 14, and 7 days before expiry
Route alerts to email AND a secondary channel (WhatsApp, Slack, PagerDuty)
Assign a named owner for each certificate renewal
Test your alert delivery regularly — don't assume it works

Renewal Process

Define a clear renewal procedure document and share it with the team
Start renewal at least 30 days before expiry (not the day before)
Validate the new certificate on a staging environment before deployment
Have rollback procedures ready in case of deployment failure
Update any pinned certificates in mobile apps or API clients after renewal

Automation

Consider Let's Encrypt + Certbot for automatic 90-day renewals
Use ACME protocol integrations with nginx, Apache, or Caddy
Automate certificate deployment via CI/CD pipelines
Rotate certificates automatically on cloud providers (AWS ACM, GCP, Azure Key Vault)
Log every renewal event for audit purposes

When Auto-Renewal Fails

Auto-renewal is not foolproof. Common failure modes include:

  • DNS challenge fails due to a DNS provider API key expiry
  • HTTP challenge fails because port 80 is blocked by a firewall rule change
  • Let's Encrypt rate limits are hit on shared IPs
  • Cloud certificate manager loses access to the domain due to IAM permission changes
  • The certificate is renewed but deployment to the load balancer fails silently

The only way to catch auto-renewal failures is to monitor the actual certificate in production — not just your renewal job's exit code. An external monitoring service checks the live certificate independently of your renewal infrastructure.

The 30-Day Rule

If your certificate has fewer than 30 days remaining, treat it as urgent — not routine.

30 days gives you time to deal with unexpected complications: DNS propagation delays, CA validation issues, deployment rollbacks, and team availability gaps during holidays or weekends.

Automate Your Certificate Monitoring

CertNotify monitors all your domains and sends you alerts at 30, 14, and 7 days before expiry — via Email and WhatsApp. Free plan covers up to 3 domains.

Start Monitoring Free