Why certificates expire — and how renewal works

Expiry is not a design flaw, it is the design. What the dates are for, and how to make renewal something you never think about.

Every SSL certificate carries two timestamps: a moment it becomes valid and a moment it stops. The second one causes a remarkable share of the internet’s avoidable outages — sites that worked perfectly on Monday showing full-page warnings on Tuesday because a date passed. It is reasonable to ask: why do certificates expire at all?

Expiry is a security feature

A certificate is a claim — “the holder of this key controls this domain” — that was true when a certificate authority checked it. Claims go stale. Domains change hands, companies dissolve, private keys leak, and cryptographic standards move on. Expiry puts an upper bound on how long a stale or stolen claim can keep working:

This is why lifetimes keep shrinking. Certificates could once last five years; the browser root programmes cut the maximum to two years in 2018, then to 398 days in 2020, and the industry is committed to going much shorter over the coming years. Let’s Encrypt has issued 90-day certificates from the start — a deliberate choice to make automation the only sane option.

How renewal actually works

“Renewal” is a slightly misleading word: you do not extend the old certificate, you obtain a completely new one and swap it in. Either way, the process has the same three steps: prove you control the domain, receive the new certificate, and install it (with its chain) on the server. What differs is who does those steps — you, or software.

The automated route: ACME and Let’s Encrypt

ACME (Automatic Certificate Management Environment, RFC 8555) is a protocol that automates the whole cycle. An ACME client on your server — certbot is the best known, with acme.sh, Caddy and built-in support in many proxies — talks to a CA, proves domain control, fetches the certificate and installs it, on a timer, forever. Proof takes one of two forms:

Let’s Encrypt — a non-profit CA — made this route free, which is why over half the web now runs on it. Its certificates last 90 days, and clients renew from about 30 days before expiry, so a healthy setup renews six times a year without anyone noticing. Google Trust Services, ZeroSSL and others offer free ACME certificates too, and most managed hosts and CDNs (Cloudflare, Netlify, and the rest) run the same machinery for you behind a checkbox.

The manual route: paid CAs

Paid certificates from CAs such as DigiCert, Sectigo or GlobalSign still have their place — organisation and extended validation, warranties, support contracts, and niches like BIMI’s Verified Mark Certificates that genuinely require a paid product. Encryption strength, however, is identical: a free DV certificate protects traffic exactly as well as a paid one.

The real cost of the paid route is operational: if issuance involves a human downloading files from an email link and pasting them into a control panel, renewal depends on that human remembering. Most “our website is showing a security warning” incidents are exactly this — the certificate did what it said on the label, and the calendar reminder failed. Many paid CAs now support ACME as well, which is worth enabling for that reason alone.

When it goes wrong

An expired certificate fails loudly: browsers show NET::ERR_CERT_DATE_INVALID, API clients throw errors, mail delivery breaks. Browsers and clients may warn users or reject secure connections to the domain entirely — and high-profile names (Microsoft Teams in 2020, Spotify, government portals) have all been caught out. The fix is always the same: issue a new certificate, install it with its full chain, and reload the server. Recovery is immediate — certificates have no propagation delay.

Making expiry a non-event

Want the check right now? Run your domain through the SSL checker — the verdict leads with the expiry countdown, and Tech mode shows the validity dates exactly as the certificate states them.