Expired certificates happens frequently enough to our clients: life is good, all systems working. Then mysteriously, you start getting communication failures with an application like Skype for Business. Turns out, a certificate expired at 11:14 am today and now communication between machines isn’t trusted. Remedying the issue isn’t too bad in most cases, but the lost productivity is a problem. An easily avoided problem. Here are a few tips to help avoid death-by-expiration.
One of the advantages of third-party certificates that will help in this situation is the issuer wants you to give them money again. So, when you’re coming up for renewal they will be sending you reminder mails that your certificate will be expiring soon.
A key element of third-party certificates working properly though is to make sure the email address they are sending to is a distribution group. Frequently we’ve seen individuals set up the accounts with a single admin’s work address (sometimes even a personal address, which can cause other issues). By using a single address you run the risk of missed notifications if the user is on vacation or staff turnover occurs. It’s always best to setup a distribution group for example: ITVendorNotifications@domain.com. Then the responsible IT staff in that group will help provide adequate coverage.
Most organizations will have an internal PKI (Public Key Infrastructure) in place. Since you lose the capitalism-motivated certificate issuer notification, you’ll need to implement another solution.
A simple way is to track certificate information is in a spreadsheet and monitor it monthly. Key information is documented such as subject name, SAN (Subject Alternative Names) entries, expiration date, etc. When an expiration date is approaching, the IT staff responsible reads the notes for renewal process, and puts the updated certificate in place on all relevant servers. This is a manual method, but provides many advantages since the steps related to renewing, exporting and importing certificates are clearly documented.
Management Software & IT Support Services
The other method is to make use of a Management Software or IT Support services such as PULSE (Peters’ Unified Life Support for the Enterprise). The software or IT Support Service monitors the event logs and provides a notification when a certificate is approaching expiration. The notification is sent to the responsible IT staff, prompting them to renew before the expiration date. The advantage is that these alerts will be automatically generated without manually maintaining a spreadsheet.
The few options outlined can help avoid expiring certificates. Do you need help documenting your certificate usage or are you interested in implementing PULSE? Contact our IT Support Services group at firstname.lastname@example.org or 630.832.0075.