Keeping an eye on your certificates
In the effort to keep every component of the systems running smoothly and securely, it is quite easy to overlook one critical element: SSL Certificates. Yet, neglecting them can lead to annoying interruptions and unexpected behaviors. Picture this – during important work-related activities that last over a few days, the service suddenly becomes unreachable, and the culprit turns out to be an expired certificate. A problem that could have been avoided days before with proper attention.
Managing SSL certificates is not just about keeping track of expiration dates. The process of renewing one can be deceptively tricky due to the variety of file formats, such as crt, cer, p7b, p12 etc. Renewing one does not always give you all the necessary ones and these must be created by someone manually, requiring private key, public certificates and so on.
It is a silent source of frustration until they cause issues. One common point is forgetting to renew them before the expiration date, leading to a service being suddenly unavailable. Even when renewal is on time, the process of updating one can be confusing as it often involves navigating different file formats and compatibility – meaning it is not possible to install .crt everywhere and call it a day. On the other hand, installation can be tricky as it is not done very often, which can result in misconfiguration of certificates that fail to work as intended. Some services might not even start if not done correctly.
SSL certificates are essential to encrypt sensitive data. Verifying website authenticity and building user trust is a must for productive environments. Without SSL, any information that is exchanged between client and service provider, like passwords and bank details, is being sent via plain text which makes it easy target for cybercriminals. Furthermore, most browsers have started to actively warn users about HTTP connection, which can lead to customer loss, causing damage to the brand’s reputation.
SSL certificates, issued by trusted Certificate Authorities (CAs) like DigiCert, add a critical layer of validation, ensuring that websites are secure and legitimate. These certificates confirm that the website is owned and operated by the entity it claims to represent, reducing the risk of phishing attacks and fraud. In contrast, HTTPS not only secures data but also improves search engine rankings and performance through support of modern protocols like HTTP/2. SSL certificates are no longer optional – they are a critical necessity for productive environments.
Of course, this does not mean that all services must run on paid certificates which are trusted. Services that lie inside the company network, like development and quality assurance systems for internal testing, are acceptable where trust chain is unnecessary since it often does not involve sensitive data. Self-signed certificates are created locally without any third-party authentication and are cost-free but also come with significant drawbacks for productive environments like lack of trust, vulnerable to attacks and being non-compliant with industry standards. In conclusion, while self-signed certificates may be convenient and cost-effective option, they are not suitable for public-facing services.
One of the most common challenges with SSL certificates is forgetting about their expiry date which is set to expire in every 13 months (397 days), but this might change soon. In March 2023, during the Certificate Authority/Browser Forum, Google announced that the SSL certificate maximum validity period should be changed from 398 days to 90 days. This shift is set to revolutionize digital certificate management, and it is crucial for enterprises to start preparing now. The primary motivation behind this idea is to improve security. As the lifespan of certificate is shorter, it needs to be renewed more frequently, ensuring that encryption standards remain up to date.
A typical reason for service disruption is usually expired certificates. Most SSL providers give the opportunity to renew the certificate 30 days before the real expiration date, allowing them to replace them long before. Of course, not everyone can remember that they need to update it next year on that day at that time. Some SSL providers are reminding them via email when expiry is near, but it happens only once, at a specific time and who knows how full the inbox can be or how busy the day looks.
In our best practices, we have found that SAP Cloud ALM provides a good middle ground to monitor the certificates. Not only can it automatically inform you via teams or email, but it can also be set to notify multiple times. For example, it notifies 45days before, then 30days, 15days and so on. This has been proven that not only is the certificate updated on time but also there are no service disruptions because it is done on time.
Our alm360 advanced package provides proactive management and notifications of expiring SSL certificates to avoid unexpected disruptions. To read about our advanced and basic alm360 operations package, then visit this Blog Post.
In conclusion, SSL certificates are essential for securing data, building trust, and preventing outages in productive environments. Overlooking can come quick and easily if not dealt with in time. While self-signed certificates may be suitable for internal use, trusted, CA-issued certificates are critical for production services. To manage SSL certificates efficiently and keep your systems secure, explore our alm360 Advanced Package for proactive management and notifications.
