DEV Community

Cover image for Your Servers Have Passports. Are They Expiring Without You Knowing?
Olawale Afuye
Olawale Afuye

Posted on

Your Servers Have Passports. Are They Expiring Without You Knowing?

#security #webdev #backend #devops

Picture this: it's 2 AM. Your on-call phone explodes. Your payments API is down. Users are screaming. The infra team is deep in logs trying to figure out what broke — firewall rules, a bad deploy, infrastructure drift?

Turns out your TLS certificate expired six hours ago and nobody noticed.

That's not a hypothetical. It's a recurring nightmare for engineering teams all over the world. And with the industry aggressively shrinking certificate lifespans — down to 47 days by 2029 — it's about to get a lot worse for teams that aren't paying attention.

This post is your primer. We'll cover what digital certificates actually are, why they matter more than most developers realise, what "machine identity sprawl" is, and how to stop treating cert management as an afterthought.

First: What Even Is a Digital Certificate?

Here's the simplest mental model.

Certificates are passports for machines, not people.

When your browser connects to https://api.yourbank.com, it needs to answer a critical question before sending any data: "Is this actually the server I think it is, or could someone be intercepting this connection?" A digital certificate is the server's answer. It says:

"Here is my name, here is my public key, and here is the signature of a trusted authority that vouches for both."

Technically, a certificate bundles:

  • The server's hostname (what it claims to be)
  • The server's public key (used to establish encrypted communication)
  • A digital signature from a Certificate Authority (CA) — a trusted third party that vouches for the binding of that name to that key

Think of the CA as the government that issued the passport. You don't personally know the bearer, but you trust the issuing authority enough to accept the document.

The Three Pillars This Enables

Once a valid certificate is established, it unlocks three critical security guarantees:

Pillar What It Means
Authentication You're talking to the real server, not an impersonator
Confidentiality Your data is encrypted in transit and only the server with the matching private key can read it
Integrity The data hasn't been modified between sender and receiver

Remove any one of these, and your "secure" connection is theatre.

The Man-in-the-Middle Threat (And Why Certs Stop It)

Here's the attack that certificates are specifically designed to prevent.

An attacker positions themselves between your user and your server. They intercept the request, pretend to be your server to the user, and pretend to be the user to your server. All traffic flows through them. They can read everything, modify anything, and neither side is any wiser.

Without cert validation:
User ──── ATTACKER ──── Your Server
            ↑
        intercepts and relays everything

With cert validation:
User ──[checks cert]──✓──── Your Server
     Attacker can't forge the CA's signature
Enter fullscreen mode Exit fullscreen mode

Without a valid certificate — one signed by a CA the browser trusts — the attacker cannot present a credential that passes verification. The browser (or client) catches it. The connection is rejected.

But here's the thing: if your certificate expires, the browser treats it exactly the same as a forged one. Because from the browser's perspective, it is just as untrustworthy. Which brings us to the real problem.

The Problem: Machine Identity Sprawl

Ten years ago, you might have had a handful of certificates to manage. One for your main domain, maybe one for your API subdomain.

That era is gone.

Modern enterprises run:

  • Web servers and subdomains
  • REST and gRPC APIs
  • Microservices talking to each other over mTLS
  • Load balancers and reverse proxies
  • IoT devices and edge nodes
  • Internal tooling: CI/CD pipelines, Kubernetes clusters, internal dashboards
  • Third-party integrations, SaaS connectors, partner APIs

Each of these can have one or more certificates. A mid-sized engineering organisation can easily have hundreds or thousands of active certificates across its infrastructure.

This is machine identity sprawl: the explosion of machine-level credentials distributed across systems, teams, clouds, and environments — most of which were issued, forgotten, and are now quietly ticking toward expiry on nobody's radar.

The dangerous part isn't complexity. It's invisibility. Nobody sends you a calendar invite for cert expiry. There's no build failure. No test suite catches it. You find out when the production API starts returning connection errors at scale, usually at the worst possible time.

SSL vs TLS: A Quick Clarification

You'll hear "SSL certificate" constantly — in documentation, in vendor dashboards, in job descriptions. It's worth being precise here.

SSL (Secure Sockets Layer) is the original protocol. It's been deprecated. SSL 2.0 and 3.0 both have known, exploitable vulnerabilities and should not be used.

TLS (Transport Layer Security) is the current standard. TLS 1.2 and TLS 1.3 are what you want. TLS 1.3 (released 2018) cut unnecessary handshake round-trips, removed weak cipher suites, and is meaningfully faster and more secure.

The certificates themselves haven't fundamentally changed in shape — they still use the same X.509 format. But when someone says "SSL certificate" today, they mean a certificate used for TLS. The name is a legacy holdover that stuck.

If you're configuring a new server and you see options for SSL 2.0, SSL 3.0, or TLS 1.0/1.1 — disable them. All of them.

Why Shorter Lifespans Are Actually a Good Thing (Even If They're Painful)

Here's the uncomfortable trade-off the industry is making.

Certificate lifespans have been shrinking aggressively:

  • 2015: Up to 5 years
  • 2018: 2 years max
  • 2020: 1 year max (13 months)
  • 2029 target: 47 days

This feels like a headache being manufactured by the CA/Browser Forum. But the reasoning is sound.

If an attacker compromises your server's private key, they can impersonate your server until that certificate expires or is manually revoked. A certificate valid for 2 years gives an attacker a 2-year window to exploit a compromised credential — assuming you even detect the compromise.

Short lifespans shrink that window dramatically. A 47-day certificate means even a successful key compromise has a limited blast radius before the certificate naturally rotates out of existence.

It also forces cryptographic hygiene. Every renewal is an opportunity to use stronger key sizes, updated cipher suites, and current security standards. Organisations with 2-year certs can sit on weak configurations for years without touching them.

The catch, of course, is that a 47-day lifespan makes manual renewal not just inconvenient — it makes it mathematically impossible at enterprise scale. You cannot have a human manually renewing hundreds of certificates every six weeks. The industry is forcing automation, and it's the right call.

The Certificate Lifecycle: What You Need to Manage

Treating cert management as "buy, install, forget" is how you end up in the 2 AM outage. A proper lifecycle has four stages:

1. Discovery

You cannot manage what you cannot see.

The first step is finding every certificate across your entire infrastructure — including the ones that were issued years ago by a developer who has since left, deployed on a server that isn't in your main dashboard, and which nobody has touched since.

Automated discovery tools scan your network, check endpoints, and build a full inventory. This is often the most surprising step. Teams consistently find dozens of "unknown" certificates when they first run a discovery scan.

2. Issue & Deploy

Automate the issuance and deployment pipeline entirely. Tools like Let's Encrypt (with Certbot), HashiCorp Vault, or enterprise platforms like Venafi and AppViewX can handle this end to end.

A good setup issues the certificate, deploys it to the right server or load balancer, triggers a reload (without downtime), and logs the event — all without human intervention.

# Example: Certbot automatic renewal via cron
0 0,12 * * * root certbot renew --quiet --post-hook "systemctl reload nginx"
Enter fullscreen mode Exit fullscreen mode

For internal services or mTLS between microservices, a private CA (like Vault's PKI secrets engine) handles issuance internally without going through public CAs.

3. Monitor

Every certificate in your fleet should have active monitoring on:

  • Expiry date — alerts at 30 days, 14 days, 7 days out
  • Validity — is the cert still being served correctly?
  • Chain integrity — is the full trust chain intact?
  • Coverage — are all subdomains and SANs still accurate?

This is your early warning system. If your automation pipeline breaks, monitoring catches it before users do.

4. Rotate & Revoke

Certificates need to be replaced on schedule (rotation) and immediately if a compromise is suspected (revocation).

Revocation is important and under-implemented. If a private key is exposed — through a breach, a misconfigured server, a leaked secrets file in a public repo — the certificate must be revoked immediately through the CA. A revoked certificate tells clients: "Do not trust this, regardless of the expiry date."

The failure mode when certificates are not retired is subtle but serious: old certificates associated with deprecated services, decommissioned servers, or former employees' infrastructure can become silent attack surfaces. If the private key still exists somewhere and the certificate hasn't been revoked, it's a live credential that nobody is watching.

Why "Cryptographic Hygiene" Is Bigger Than Just Certs

Certificates are the most visible part of your cryptographic surface, but they're not the whole picture.

A genuine cryptographic hygiene audit also looks at:

  • Key sizes: RSA 2048-bit is a current minimum. RSA 4096 or ECDSA P-256/P-384 are preferred.
  • Cipher suites: Weak or deprecated ciphers (RC4, DES, 3DES) should be disabled even if your server technically supports them.
  • Library versions: OpenSSL, BoringSSL, and similar libraries have their own vulnerability histories. Are you running patched versions?
  • Protocol versions: TLS 1.0 and 1.1 are deprecated. Are they still enabled on any of your services?
  • Post-quantum readiness: NIST standardised its first quantum-resistant algorithms in 2024. Forward-thinking teams are beginning to inventory what a migration path looks like, even if it's years away.

Certificates are the fire you can see. These are the smoldering ones.

What Does Automation Actually Change?

Here's the honest answer: automation doesn't eliminate security risk. It eliminates the specific, unnecessary, entirely preventable risk that comes from human forgetfulness at scale.

Automated certificate management means:

  • Renewals happen on schedule, not when someone checks a spreadsheet
  • Deployment is consistent, not dependent on which engineer is available that weekend
  • Expiry monitoring doesn't rely on someone reading an email from six months ago
  • Rotation is a routine event, not an emergency

What automation doesn't do is protect you from a compromised CA, a misconfigured deployment script, or a zero-day in your TLS implementation. Those require different controls. But the "two-year-cert-in-a-forgotten-spreadsheet" class of incident? That's fully solvable, right now, with the tooling that exists today.

Quick Reference: The Toolkit

Need Open Source Option Enterprise Option
Public cert issuance Let's Encrypt + Certbot DigiCert, Sectigo
Internal / private CA HashiCorp Vault PKI Venafi, AppViewX
Discovery & inventory ssl-cert-check, Shodan Keyfactor, Sectigo SCM
Monitoring Prometheus + custom exporter Datadog, New Relic
mTLS between services cert-manager (K8s) Istio, Linkerd

The Bottom Line

Certificates are infrastructure. Not a one-time setup task. Not a DevOps checklist item. Infrastructure — like your database, your load balancer, your secrets manager. It requires the same treatment: automation, monitoring, documented runbooks, and ownership.

By 2029, the industry will not give you a choice. 47-day certificates make manual management impossible by design. The teams that start treating certificate lifecycle as a first-class engineering concern today will have the tooling and culture in place before the deadline. The teams that don't will be having a lot of 2 AM conversations.

Your servers have passports. Make sure they're not expiring in a drawer somewhere.

Found this useful? Drop a comment below with how your team currently handles cert management — spreadsheet, automation, or "we'll figure it out when it breaks." No judgment. Mostly judgment.

Top comments (0)