How to Prevent Security Certificates From Expiring During a Lapse in Operations

1. Gather a list of all of your domains

The easiest way to do this is to:

• Go to https://pulse.cio.gov/https/domains/
• Find your parent domain
• Click on your domain to show all your publicly available sub-domains
• Download the CSV data of your domains
• Open the CSV as a spreadsheet

2. Ask your IT department which domains are auto-renewing

Send them your new spreadsheet and have them mark which domains and sub-domains are auto-renewing.

3. Figure out who is responsible for purchasing security (SSL) certificates in your organization.

You are going to need to reach out to the person/people who usually buys your certificates (someone with purchasing authority). They are usually different from the people who upload your certificates (usually someone in IT).

4. Identify when your SSL certificates will expire

This is fairly easy:

• Go to https://transparencyreport.google.com/https/certificates?hl=en
• Scroll down to “Search certificates by hostname” and enter your parent domain in the search box
• Check both boxes for “Include certificates that have expired” and “Include subdomains” and click the magnifying glass icon on the right side of the search box
• In the results, the “Valid to” column is the date that your certificate expires
• Add this date your new domains spreadsheet

Or you can also ask the person who regularly purchases your SSL certificates. They might keep a log.

5. Renew all upcoming SSL certificates

If the certificate is set to expire in the next three months , make a request to get those certificates renewed now.

🎉

Have Questions?

This overview on certificates from CIO.gov is one of the best resources for people in government who are wanting to learn more about getting SSL certificates right.

Q. Are security certificates and SSL certificates the same thing?

Yep.

Q. What do certificates do exactly?

From CIO.gov —

“Websites use certificates to create an HTTPS connection. When signed by a trusted certificate authority (CA), certificates give confidence to browsers that they are visiting the “real” website.”

Q. Can certificates be set to auto-renew?

Yes, you should talk to your IT department about moving in the direction of auto-renewing certificates.

We generally recommend that any certificate you do purchase be low cost, automatable, short-lived, and published to Certificate Transparency logs. Furthermore, all certificates should be free of the following:

• Domain name mismatch, including Subject Alternative Name (SAN) errors
• Certificate not yet valid
• Certificate expired
• Certificates lasting longer than three years
• Use of a self-signed certificate
• Use of a certificate that is not trusted (unknown CA or some other validation error)
• Use of a revoked certificate
• Insecure certificate signature (MD2 or MD5 or SHA-1 [for new certificates])
• Insecure key

At the GSA, we use a free, open-source option called “Let’s Encrypt”. Once implemented on your server, it auto-renews your certificate every three months. And if you host your government site on cloud.gov, search.gov or federalist.18f.gov, your certificates will automatically renewed.

Related reading:

• Let’s Encrypt Those CNAMES, Shall We?

Still have questions? E-mail us at digitalgov@gsa.gov and we’ll try to get your questions answered.