How to Avoid Expired Certificates: A Practical Guide
Certificate expiry outages are preventable.
Read the guideAn expired SSL certificate is not a technical glitch — it is a visible outage. Browsers block. API integrations fail. Support calls flood in. CertControl alerts the right people well in advance — not a shared inbox nobody watches.
14-day free trial · No credit card required · EU hosted
Most people think of the browser warning. But certificate expiry hits broadly: API integrations fail silently, internal systems using mutual TLS stop communicating, and mail servers get rejected. The fallout compounds faster than you can complete a renewal under pressure.
The CA/Browser Forum has decided to significantly reduce TLS certificate lifetimes heading into 2029. For an organisation with 1,000 certificates, a 47-day maximum means up to 8,000 renewals per year. That is not a number you can manage in a spreadsheet.
Days maximum. Automation is already an advantage today — in a year, it will be a hard requirement.
Days maximum. Manual renewal frequency doubles — the same effort for half the certificate lifetime.
Days maximum. ACME integration is the only scalable solution at that point.
An alert is only useful if it reaches the person who can act on it, with enough context that they know exactly what to do. CertControl does not send generic notifications to shared inboxes.
Set alerts at 60, 30, 14, 7, and 1 day before certificate expiry. Critical systems can have additional thresholds. Configure per endpoint group — not just globally.
Alerts go to specific email addresses — not a generic inbox that nobody monitors. Set up primary and backup recipients per certificate or group.
Send alerts to Slack, Microsoft Teams, PagerDuty, or any system that accepts HTTP POST. Certificate expiry surfaces in the channel your team already uses for operational alerts.
As an ACME client, CertControl requests certificates from Let's Encrypt or another supported CA on your behalf. The Scale plan adds an ACME Server (RFC 8555): your internal servers — Linux and Windows — run certbot, acme.sh, or Posh-ACME pointing to CertControl, which issues or forwards orders to a supported upstream CA. With a DNS plugin configured, the entire renewal cycle is zero-touch — challenge, issuance, and installation handled automatically. The Scale plan also includes ARI (RFC 9773): CertControl signals the optimal renewal window to each ACME client, so fleet renewals are coordinated automatically — and mass-revocation reaches every server in one action.
A unified dashboard shows all certificates sorted by expiry date. Red, amber, green — you see at a glance what needs action today and what is coming up.
All alerts, acknowledgements, and renewals are logged automatically. The documentation is ready for NIS2 audits or internal review — you do not need to piece it together after the fact.
Browsers display a security warning and block access — users see the error, not the IT team. API calls fail with SSL errors and integrations stop without warning. Services that use the certificate for authentication stop working. The result is an outage discovered by customers, an emergency renewal under pressure, and potential NIS2 compliance problems.
For standard certificates: 30 and 14 days. For critical production systems: add 60 days as an early warning. Think about your actual renewal process — if it requires internal approval, an alert 7 days before expiry is too late. With the upcoming 47-day certificates, the first alert should go out at 21 days.
Yes, in two modes. As an ACME client (Business plan), CertControl requests certificates from Let's Encrypt automatically — HTTP-01 and DNS-01 handled, private keys encrypted with AES-256-GCM. As an ACME Server (RFC 8555, Scale plan), your internal Linux and Windows servers run certbot, acme.sh, or Posh-ACME pointing to CertControl — zero-touch renewal including automatic certificate installation on the server.
Yes. The CertControl agent scans internal networks behind a firewall and includes internal certificates in the combined expiry monitoring and alerting. AD, mail, intranets, and CI/CD systems are monitored on exactly the same terms as internet-facing endpoints.
Certificate expiry outages are preventable.
Read the guideCalendar reminders fail.
Read the guideA TLS certificate expired on an authentication service at 03:14 on a Tuesday.
Read the guideAn expired TLS certificate on a CDN or load balancer takes down every service behind it simultaneously.
Read the guideCloud migrations introduce new certificate authorities, change endpoints, and create inventory gaps — while production certificates keep running.
Read the guide