How to respond to an SSL expiration alert

An SSL/TLS expiration reminder is good news disguised as a warning: it gives you time to renew before customers ever see a browser error. Treat it as a scheduled task and work through these steps in order.

Response steps

  1. Read the reminder and the date

    Note which domain or hostname is affected and how soon the current certificate is due to expire.

  2. Identify the renewal path

    Determine whether the certificate renews automatically, through your host or platform, or through a certificate issuer you manage.

  3. Confirm or trigger renewal

    If renewal is automated, confirm it actually succeeded. If it is manual, start the renewal or reissue with the responsible party.

  4. Verify the live certificate

    After renewal, load the site and confirm it presents the new certificate with no warning and a later expiration date.

  5. Record ownership

    Note who owns renewal and the new expiration so the next reminder has a clear destination.

Why timing is everything

A certificate fails closed: the moment it expires, browsers stop trusting the site and show a full-page warning that most visitors will not click past. Unlike a slow page, there is no partial degradation - it works, and then it does not. That is why an advance reminder is so valuable. It moves the work into a calm window where you can renew, test, and confirm rather than scrambling after customers report the warning.

Automated renewal handles most cases, but it is not infallible: validation can fail, a contact email can bounce, or a manually issued certificate can be forgotten. A reminder is your backstop against a silent automation failure.

The ideal response is boring:

QuestionGood answer
Who owns renewal?Named host, platform, issuer account owner, or internal contact.
How does renewal happen?Automatic platform renewal or manual reissue path is documented.
How is success checked?Live site certificate date is reviewed after renewal.
Who gets future reminders?Owner and backup both receive the notification.

If you cannot answer one of those questions, use the current reminder to close that gap before the deadline.

Why automated renewal still fails sometimes

Many sites rely on short-lived certificates that renew automatically, and most of the time that works well. But automation depends on conditions that quietly drift over time, and a reminder is what catches the cases where it lapses:

  • Validation can break - if the renewal process can no longer reach a required file or DNS record, the new certificate is never issued.
  • The notification email can bounce - renewal warnings sent to an old or unmonitored mailbox go unseen.
  • A manual certificate slips through - one service on a subdomain may use a hand-issued certificate that nobody is tracking.
  • A platform change - switching host or CDN can move responsibility for renewal without anyone noticing.

An independent reminder does not assume the automation worked; it simply tells you the expiration date is approaching so a person can confirm the live certificate is current.

Verify the fix, do not assume it

After any renewal - automated or manual - take ten seconds to load the site in a browser and check the certificate details. Confirm the expiration date moved forward and that there is no warning. This single habit catches the rare case where a renewal appeared to succeed but the live site is still serving the old certificate.

For customer-facing sites, also check the exact hostname customers use. A certificate can be valid for example.com while www.example.com, a booking subdomain, or a checkout subdomain still presents the old certificate. Record the hostnames that matter in your renewal notes so the next reminder does not require rediscovery.

When to contact your issuer or host

  • Contact your certificate issuer when a manually managed certificate needs renewal or reissue.
  • Contact your host or platform when renewal is automated for you and appears to have failed.
  • If the domain itself is also near expiry, handle that first - a valid certificate on a lapsed domain still goes offline. See the domain expiration checklist.

Monitoring detects the approaching expiration and reminds the right person; the issuer or host performs the renewal.

If you are unsure who owns the certificate, the reminder is a good prompt to find out before the deadline rather than during an outage. Trace it once: note whether the certificate comes from your hosting platform, a CDN in front of the site, or a certificate you obtained directly, and write that down next to the renewal owner. With that recorded, every future reminder has an obvious destination and the renewal becomes a short, routine task.

Keep certificates monitored

ostr.io WebSec monitors SSL/TLS certificate signals and sends expiration reminders, presented as free for users on all plans.

Monitor certificates on ostr.io

Related: SSL/TLS monitoring · Domain expiration monitoring · Alerts

domain-protection.info is an official monitoring information property by ostr.io.