← Back to Blog
Guide2026-04-037 min read

SSL Certificate Management: A Complete Guide

SSL certificate expiry is the most preventable type of outage — and one of the most embarrassing. Your site goes down, browsers show scary warnings, and the fix takes 30 seconds once someone notices. The problem is that "someone noticing" often takes hours. Here's how to manage SSL certificates properly.

How SSL/TLS certificates work (the 60-second version)

When a user visits your site over HTTPS, their browser checks your SSL certificate to verify:

  1. The certificate was issued by a trusted Certificate Authority (CA)
  2. The certificate hasn't expired
  3. The certificate matches the domain being visited

If any of these checks fail, the browser shows a warning page. Most users will leave immediately. Search engines will also penalize your rankings.

Why certificates still expire

With Let's Encrypt and auto-renewal, certificate expiry should be a solved problem. But it still happens regularly because of:

  • Auto-renewal failures — DNS changed, server moved, port 80 blocked
  • Manual certificates — Purchased certs that someone forgot to renew
  • Load balancer certs — Updated on the origin but not the CDN/load balancer
  • Wildcard cert mismanagement — One cert covering 20 subdomains expires
  • Staging vs. production — Auto-renewal works on staging but production has different config

Auto-renewal setup

Let's Encrypt with certbot

# Install certbot
sudo apt install certbot python3-certbot-nginx

# Get certificate and set up auto-renewal
sudo certbot --nginx -d example.com -d www.example.com

# Verify auto-renewal works
sudo certbot renew --dry-run

# Check the renewal timer
systemctl list-timers | grep certbot

Platform-managed SSL

Most modern platforms handle SSL automatically:

  • Vercel — Automatic SSL for all deployments, including custom domains
  • Cloudflare — Universal SSL certificate, auto-renewed
  • AWS ACM — Free certificates, auto-renewed when used with ALB/CloudFront
  • Netlify — Automatic Let's Encrypt certificates

Even with platform-managed SSL, monitor it. Platforms can have bugs, and DNS misconfigurations can prevent renewal.

Certificate monitoring checklist

Set up monitoring that checks your certificates regularly. Here's what to track:

  • Days until expiry — Alert at 30 days, 14 days, 7 days, and 1 day
  • Certificate chain validity — Intermediate certificates matter
  • Domain match — Cert covers the right domains
  • Protocol version — TLS 1.2+ (TLS 1.0 and 1.1 are deprecated)

Manual certificate check

# Check certificate expiry from the command line
echo | openssl s_client -servername example.com \
  -connect example.com:443 2>/dev/null | \
  openssl x509 -noout -dates

# Output:
# notBefore=Jan  1 00:00:00 2026 GMT
# notAfter=Apr  1 00:00:00 2026 GMT

Common SSL pitfalls

Mixed content

Your site loads over HTTPS but includes HTTP resources (images, scripts, stylesheets). Modern browsers block mixed content, breaking your page. Audit with: 

// Quick check in browser console
document.querySelectorAll('[src^="http:"], [href^="http:"]')
  .forEach(el => console.warn('Mixed content:', el.src || el.href));

Certificate chain issues

Your server has a valid certificate but is missing intermediate certificates. It works in Chrome (which caches intermediates) but fails in curl, mobile browsers, or API clients. Test the full chain: 

# Test the full certificate chain
curl -I https://example.com
# If intermediates are missing, you'll get:
# curl: (60) SSL certificate problem: unable to get local issuer certificate

HSTS preloading

If you've enabled HSTS (HTTP Strict Transport Security) and your certificate expires, users literally cannot access your site — not even by clicking through the browser warning. HSTS is great for security but makes certificate management even more critical.

Monitoring SSL expiry automatically

Don't rely on calendar reminders or hoping auto-renewal works. Use automated monitoring that checks your certificates daily and alerts you well before expiry. If you're looking for an easy way to monitor SSL certificates alongside your endpoint uptime, PingGuard automatically checks SSL expiry on every monitor and alerts you when certificates are approaching expiration. It's included free with every endpoint you monitor — no additional setup required.

Ready to monitor your endpoints?

Free for 5 endpoints. No credit card required.

Start Monitoring Free

Comments

0/1000

Loading comments...