Read time: 7 min

In today’s Internet world, the image of a green pad lock in the browser is unanimously thought to be a synonym of trust. This green pad lock is being used to represent active and valid SSL certificates, indicating the trustworthiness in terms of security and proper authentication of your website. Protecting your website is crucial for your organization’s reputation and gaining customers’ trust.

SSL (Secure Socket Layer) provides end-to-end security between the client and server, by establishing a secure channel with the help of encryption. SSL exchanges the cryptographic information on behalf of the client and server and forms a trust relationship between them to ensure the information exchanged is private and secure.

One of the most important aspects in the SSL certificate lifecycle is its expiry. The dates associated with the expiry of the certificate play a very critical role to provide assurance of the server’s security landscape. The validity of the server’s certificate presents the unique identity of the server to the browser to comprehend the identity of the server.
Fixing expired certificates without any prolonged delay is vital to any organization to avoid any data theft or damage. Websites with no or expired certificates are prone to attacks which lead to serious consequences.

Why do certificates expire?

There have been long debates in regard to why long-lasting certificates don’t exist.
The answer is very simple – Security. Let me explain you why & how.
The certificate enables two attributes: Authentication and Encryption
The authentication attribute of a certificate validates and verifies the true identity of the end entity, i.e., domain, by various means during the validation process. Based on the validation process outcome, certificate is supposed to be issued for end entity to owner A.

Now, let’s assume the ownership of the end entity changes from owner A to owner B, however, the certificate issued to the end entity is still valid. What if the new owner B misuses the certificate or domain in the name of owner A, as the certificate still contains the information proprietary to owner A. Thus, it’s important for Certificate Authorities that are issuing trusted certificates to ensure that the information they’re using to authenticate domains and organizations is as up-to-date and accurate as possible, hence it is mandatory to associate an expiry date with the certificate.

Significance of expired SSL certificates

As mentioned earlier, every SSL certificate has a validity period associated with it. Once this period is over, the SSL certificate becomes invalid and the browser starts displaying a warning message on the webpage.
In general, the validity period of SSL certificates is 3 years or less. During this period, the certificate signifies that the information contained therein is accurate and up-to-date. This also manifests trustworthiness, legitimate ownership of the domain, security, and privacy on the platform.

It is important for your organization to monitor the certificates regularly and renew them before they are expired. In the field, the Certificate Authority vendors send out notifications at regular intervals for the renewal of the certificate to be expired in the near future, else the expired certificate might result in an outage for the business users and mission-critical applications. In addition, there are vendors which provide certificate lifecycle management solutions through their proprietary software. These software solutions automate the overall certificate lifecycle management process, including renewal of the certificates.

Fixing expired SSL certificate

Organizations should always be alerted before the certificate is expired, however, that’s not the case all the time. Following is the way to renew an expired certificate:
Renew the expired certificate

  1. Generating a New CSR (Certificate Signing Request)

    This can be generated on the platform of your SSL service provider or by contacting your SSL service provider.

  2. Selecting the appropriate SSL Certificate

    You need to select the appropriate SSL certificate as per your requirements. There are various certificates that carry different validation levels

  3. Domain Validation

    Domain validation is needed in order to prove ownership of the domain by your organization. In general, there are three methods for domain validation:

    • Email validation
    • HTTP validation
    • DNS-based validation
  4. Installing the SSL Certificate

    Once the domain validation is completed, a new certificate is issued for your domain. Once the new certificate is received via email, you can go ahead and install the certificate on the server or appliance.

Note: In general, the SSL certificate can be renewed before the certificate is expired. If the certificate is already expired, then you might need to raise a new request to issue a new certificate.

Implications of an expired SSL certificate

When using an expired SSL certificate, there is a continuous risk to the encryption and mutual authentication of website. Websites with expired certificates are prone to attacks by hackers. Unsecured websites could be hacked and critical information might be leaked out.
Browsers show a warning message for websites with expired certificates. This might result in the loss of business for your organization, as some prospective customers might choose not to initiate business communication with someone who is not secure.
In the Internet age, a secure online presence presents lots of business opportunities, with respect to prospective customers however, this requires your SSL certificate to be up-to-date to maintain a trust relationship.


Keeping SSL certificates active is crucial in maintaining authenticity and trustworthiness of your website. In addition to safeguarding the information, SSL certificates help to establish positive customer impacts. Understanding certificate expiration and why to fix expired certificates is important in enhancing the reputation of your brand and business.


Free Downloads

Datasheet of Public Key Infrastructure

We have years of experience in consulting, designing, implementing & migrating PKI solutions for enterprises across the country.

Implementing & migrating PKI solutions for enterprises

About the Author

Dipanshu Bhatnagar is a Principal Consultant Cloud Security Specialty at Encryption Consulting working with PKIs, AWS Cloud Cryptographic services and tools, Google Cloud Cryptographic Services, and helping high profile clients towards their cloud journey with complete data privacy assurance.

Internet Security Research Group originally developed an Automated Certificate Management Environment (ACME) protocol for their Public CA, Let’s Encrypt. ACME is what drives Let’s Encrypt’s entire business model, which allows them to issue 90-day, domain validated SSL certificates, which can be renewed and replaced without the website owner’s intervention.

The objective is to set up an HTTPS server that will automatically obtain trusted certificates without any human intervention.

Table of Contents


IETF developed an Automated Certificate Management Environment (ACME) for Automatic Certificate Management. ACME protocol provides an efficient way to validate that a certificate requester is authorized for the requested domain and automatically installs the certificates.

This validation is performed by requiring the requester to place a random string (provided by the CA or certificate manager) on the server for verification via HTTP or in a text record of the server’s Domain Name System (DNS) entry. Client programs, such as Certbot, can automatically perform all of the operations needed to request a certificate—minimizing the manual work. Let’s Encrypt, and several other public CAs support public-facing certificates’ automated management by using the ACME protocol. However, public CAs cannot perform ACME validation for certificates installed on systems inside organizational networks. External entities cannot make HTTP or DNS connections to internal systems. The certificate manager can make internal HTTP and DNS connections and be used for ACME-based certificate management on internal networks. A variety of CAs, certificate managers, and clients across a broad set of TLS servers and operating systems support the ACME protocol, which gives it an advantage. A disadvantage of ACME is that there is no primary method for triggering a certificate replacement in response to a certificate event (e.g., CA compromise).

ACME defines an extensible framework for automating the issuance and validation process of these certificates. The servers are allowed to obtain certificates without any human intervention.

ACME Protocol Model

ACME uses HTTPS as a transport for JavaScript Object Notation (JSON) Web Signature (JWS) objects. These are also called REST API.

ACME servers run on Certificate Authorities (CA) and respond to the client’s action if they are authorized. The client uses ACME protocol to request certificate management actions. ACME Clients are represented by “account key pairs.” A private key is used to sign all messages to the server, and the ACME server uses public access to verify the authenticity of the messages and ensure integrity.

Overcome your PKI challenges

How ACME Protocol Works

Setting Up

An ACME server needs to be appropriately configured before it can receive requests and install certificates. Steps to set up ACME servers are:

  • Setting up a CA: ACME will be installed in a CA, so we would need to choose a CA on the domain we want ACME to be available.
    • Enter the domain where ACME will be installed
    • Choose on which CA it will be installed
  • Authorization
    • The client contacts the CA and generates an authorized key pair
    • CA issues DNS or HTTPS challenges that the client responds to and solves to prove authority and control.
    • CA also sends a nonce, a random number, which is signed using the client’s private key and sent back for verification to the CA.

This concludes the setting up of ACME. Post-installation, the automation would begin to work. There are a few steps that ACME takes:

  • Issuing/Renewing Certificates: ACME has the authority to issue or renew certificates to authorized users. At first, the client (or agent) generates a Certificate Signing Request (CSR), sent to the CA. The CSR is signed by the agent, which the CA can confirm is genuine and comes from the agent. The CA, after verification, issues the certificate for the domain and returns it to the agent.
  • Revocation: Like the previous process, the agent signs a revocation request sent to the CA. The CA again confirms the request’s authenticity and then revokes the certificate, publishing on CRL, OCSP, etc., for the PKI infrastructure.

ACME Protocol Functions

ACME uses various URLs and resources for different management functions it can provide. Some functions include:

  • New Nonce
  • New Registration
  • New Application
  • New Authorization
  • Revoke Certificate
  • Key change
Overcome your PKI challenges


ACME provides an automated way to give certificates and revoke them quickly, without human error. Apart from these, there are a few advantages to look out for…

  • ACME is free, which lets any domain owner get a trusted certificate at no cost.
  • As previously stated, the ACME automates the certificate lifecycle with no human error.
  • ACME can be used by anyone, which supports uniform protocols for all functions instead of separate APIs.
  • They are supported by open-source, which helps to impact the whole community and grow more impactful projects, enhancing security.
  • In case of a compromise, ACME can help quickly mitigate the issue, replace the old certificates with new ones, and switch to a new CA.

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Encryption Services

About the Author

President at Encryption Consulting LLC focusing on providing consulting to customers in the Applied Cryptography space.

Education Center, Encryption Basics

What is TLS/SSL?

When we use HTTPS to communicate with a web server, we use asymmetric encryption. For asymmetric encryption, we would need a public key, and a private key. The authenticity of the public key is unknown, which is where SSL/TLS certificates come in to play.

An SSL/TLS certificate is a certificate signed by a trusted CA. The CA uses their private key to sign the certificate, which includes who the certificate is issued to, the validation period, and the public key. Since the public key is attached to the certificate, it proves the legitimacy of the public key so that it can be used for further secure communication between the webserver and client.

Source 1:

When SSL version 3.0 was updated, instead of it being called SSLv4.0 it was renamed to be TLSv1.0.

The latest standard version is TLSv1.2.

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Encryption Services

About the Author

President at Encryption Consulting LLC focusing on providing consulting to customers in the Applied Cryptography space.

With cloud adoption soaring to whopping 96% in 2018 according to CIO, it’s no wonder that cloud security is a hot industry topic. In today’s dynamic world, many companies are accelerating their digital transformation by moving data and applications to the cloud; benefiting from scalability and reduced costs at the same time. With cloud becoming an integral part of any enterprise, the questions that many ask include:

How to ensure cloud data security?

Where and how to manage encryption keys in the cloud?

How to ensure your data is securely stored and protected in a multi-cloud  environment?

How to ensure vendor independence in a multi-cloud environment?

Hardware Security Modules (HSMs) have been around for a long time and have over the years become synonymous with “security”. Many organizations that host their data and applications on-premise will use HSMs – physical security units that authenticate, generate and store cryptographic material to protect their most valuable assets. The HSM acts as the centralized Root of Trust providing the ultimate level of security that no software can offer. While this is a great option for on-premise scenarios, it becomes complicated if you’re in a multi-cloud environment.

Say you do decide to go with the Key Management Service (KMS) offered by your Cloud Service Provider (CSP), what happens if your environment is a combination of private, public, hybrid or multi-cloud? The important question to ask would be if your CSP’s KMS supports data and applications hosted outside of their own data environment. Every enterprise has a unique cloud environment and getting locked-in with one vendor in the name of data security is probably not the best option. What you want to be looking for is a solution that is CSP-agnostic meaning supportive of various cloud environments so you can make the most of the benefits and services offered by key providers like Google, Azure, and AWS.

Another consideration regarding your CSP’s KMS is the proximity of your valuable data assets and your encryption keys. Is it safer to keep your house key under the doormat or in a locked vault in a secure storage facility? At the end of the day, KMS is nothing more than software which undoubtedly lacks the stringent security protections of a dedicated unit like an HSM. As a best practice, it’s important to separate your encryption keys from your encrypted  data assets to minimize the risk of a catastrophic data breach.

We are back at where we started. If HSM is the ultimate security solution, then wouldn’t it be ideal to be able to have access to HSM-level security for your cloud applications and workloads without taking on the expense and responsibility of managing your multi-cloud environment HSM? Today, solutions like HSM-as-a-Service or HSM-in-the-Cloud offer the best of both worlds combining the security of an HSM with a flexibility of a KMS. This might be the solution for you if you’re looking for:

Multi-cloud deployments

Migration flexibility – no CSP and cloud lock-in

Reducing your capex

Innovate  in the cloud – place your own firmware and custom code on the HSM

With the right strategy and solution, you can ensure your cloud security is treated like your on-premise security. Get in touch with Utimaco to learn more about CryptoServer Cloud and how you can secure your cloud data without limiting your agility and potential. 

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Encryption Services

About the Author

Anish Bhattacharya is a Consultant at Encryption Consulting, working with PKIs, HSMs, creating Google Cloud applications, and working as a consultant with high-profile clients.

Let's talk