Preventing TLS Certificate Expiry with Automation

Updated By SurfaceLoop Team 4 min read TLS & Certificates

Why do certificate expiry outages still happen?

Certificate expiry has caused outages at organisations of all sizes. The root causes are consistently the same:

No centralised certificate inventory. Certificates exist on web servers, load balancers, CDNs, cloud services, mail servers, VPN gateways, and IoT devices. Without a complete inventory, certificates on less-visible services expire unnoticed.

Manual renewal processes. Calendar reminders and spreadsheets work until someone is on holiday, changes roles, or the reminder is dismissed. Manual processes do not scale as the number of certificates grows.

Forgotten subdomains and services. A staging server set up two years ago, a microservice behind a load balancer, a marketing landing page on a different CDN - these accumulate certificates that no one actively manages.

Organisational changes. When the person who set up a certificate leaves the organisation, knowledge of how to renew it may leave with them.

The industry is moving toward shorter certificate lifetimes. Let’s Encrypt issues 90-day certificates, and the CA/Browser Forum has proposed reducing maximum certificate lifetimes further. Shorter lifetimes improve security (less time for a compromised key to be exploited) but make manual management even less viable.

How does ACME automation prevent expiry?

The ACME protocol, standardised in RFC 8555, enables fully automated certificate management:

1. Domain validation. The ACME client proves control of the domain to the certificate authority using one of several challenge types:

  • HTTP-01 - place a file at a specific URL on the web server
  • DNS-01 - create a DNS TXT record (required for wildcard certificates)
  • TLS-ALPN-01 - respond to a TLS challenge on port 443

2. Certificate issuance. Once validation succeeds, the CA issues the certificate and the client downloads it.

3. Installation. The client installs the certificate and reloads the web server configuration.

4. Scheduled renewal. A cron job or systemd timer runs the renewal process regularly (typically twice daily with Certbot). Certificates are renewed 30 days before expiry by default.

Setting up Certbot with automatic renewal:

certbot certonly --webroot -w /var/www/html -d example.com -d www.example.com

Certbot creates a systemd timer that checks for renewal twice daily. No further manual intervention is needed.

How do you monitor certificates across your entire domain portfolio?

ACME automation prevents expiry on servers you control, but certificates also exist on:

  • CDNs and edge platforms (Cloudflare, Fastly, AWS CloudFront) - these manage their own certificates but may need manual configuration for custom domains
  • SaaS platforms (HubSpot, Zendesk, Shopify) - certificates for custom domains on these platforms may require manual renewal
  • Legacy systems - older servers, appliances, and embedded devices that do not support ACME
  • Third-party managed services - services managed by vendors or partners

For these, monitoring is the safety net:

Certificate Transparency (CT) logs provide a public record of every certificate issued for your domains. Monitoring CT logs reveals certificates you may not know about - including any issued by unauthorised parties.

External scanning checks the actual TLS configuration of every reachable endpoint across your domains, verifying not just expiry dates but also cipher strength, protocol versions, and chain-of-trust issues.

How SurfaceLoop handles this

SurfaceLoop monitors TLS certificates across all your domains and subdomains. It tracks expiry dates, alerts at configurable thresholds (60, 30, 14 days), and identifies certificates with weak configurations - covering the services that ACME automation cannot reach.

See TLS & Certificates feature →

Frequently asked questions

What happens when a TLS certificate expires?
+
When a TLS certificate expires, browsers display a security warning that blocks most visitors from proceeding. APIs and integrations that validate certificates will fail with TLS handshake errors. The result is immediate service disruption for users, automated systems, and partner integrations - often discovered only when customers report the outage.
How far in advance should certificates be renewed?
+
Renew certificates at least 30 days before expiry for manually managed certificates. Automated ACME clients like Certbot typically renew at 30 days remaining. For critical services, set monitoring alerts at 60, 30, and 14 days to catch any renewal failures before they cause outages.
What is ACME and how does it automate certificate management?
+
ACME (Automatic Certificate Management Environment) is a protocol that automates certificate issuance, renewal, and installation. Clients like Certbot communicate with certificate authorities like Let's Encrypt to prove domain ownership, obtain certificates, and install them - all without manual intervention. ACME eliminates most certificate expiry incidents.
How do I monitor certificates across many domains?
+
Use an EASM platform or certificate monitoring service that scans all your domains and subdomains for TLS certificates, tracks expiry dates, and alerts before certificates expire. Manual tracking via spreadsheets breaks down at scale because certificates exist on subdomains, load balancers, CDNs, and services the team may not know about.

Get SurfaceLoop security briefings

No spam, just findings that matter. Fortnightly.

Check your tls & certificates - free