One situation that seems to happen from time to time is when our clients manage their own SSL certificates and then, one day, find that their certificate had expired. Often, they hear about this from someone who tried to buy something on their website and got a big warning message in their web browser. That's the wrong way to find out that something is wrong with your website - from your customers.
With our website hosting, if our clients buy their SSL certificate through us, we then take care of managing the renewal of their SSL certificate for them. They don't have to get involved unless we need them to approve it in the email that they get. That's one big advantage of handing off this task to Webstix.
If you have decided to manage your SSL certificate yourself, then here are some tips to help you do it better:
- Make sure your domain contact information is up to date. Do a "whois" on your domain and see what it shows for the Administrative Contact. Make sure the email address listed there (along with the address) is correct. It's best to set the email address here as a generic email address like firstname.lastname@example.org and then have that forward to someone. Otherwise, if you use someone's email and they leave, then you don't get important notices about your domain name expiring and so forth.
- Make sure the information used to buy the SSL certificate is correct as well. Again, make sure the email address on the account you set up actually goes to someone and make sure that email works. You should get notified at least 30 days before the SSL certificate expires. If that email account isn't right, then you might miss this email and forget to renew it.
- Assign the management of your domain name and SSL certificate to somebody. Make it someone's responsibility to keep track of this information. Put the information in a binder that is looked at regularly and not hidden in some dark corner. Also in that binder, put information like your FTP login, domain name registrar login and so forth. If it's kept in files somewhere, then they could get lost. Better yet - put it in a file somewhere that it can be found and print this information out.
- When you renew the SSL, it might be a good idea to renew it for a few years. I'd suggest 2 years. That way, you don't have to mess with it too often but just often enough where you're keeping this task in your radar. Problems tend to happen when certificates are renewed for 5 years or more. The information to renew it gets lost or people leave.
More Ideas to Better Manage SSL Certificate Renewal
You can go a step beyond what I've listed above and set yourself up for better protection.
- You can buy a domain monitoring service and then set it up to check a secure (SSL) page for a certain word. This kind of service should see an error if the certificate is expired and then you will get notified via email or text message.
- I found this SSL Checker that helps diagnose problems with your certificate.
- Again, you could just have us do it if you are hosting with us. It's worth it.
Sometimes, the process of renewing an SSL certificate can be hairy. You have to upload a certain file to verify ownership. You need a valid CSR file. The certificate needs to be correctly installed. A bunch of things could go wrong - and forgetting to do it has to be at the top of that list. You could be losing sales and trust from your customers - which is hard to get back. If you're serious about your website, you will have systems in place for every possible thing that could go wrong. The worst thing would be to see sales drop for a week and then find out that the SSL certificate was expired. You can't get those sales back.