TL;DR: SSL certificates secure your website’s connection, but managing them can be tricky. Domains also have expiry dates that require attention. This post breaks down key concepts around SSL and domain expiry, common pitfalls, and best practices to keep your web services secure and accessible.
1. What Is an SSL Certificate and Why Does It Matter?
SSL (Secure Sockets Layer) certificates encrypt data exchanged between browsers and servers, preventing eavesdropping and tampering. Without a valid SSL certificate, browsers will warn users that your site is insecure.
Key point: Certificates have a validity period (often 90 days for Let’s Encrypt, or 1 year+ for paid certs), and must be renewed before expiry to avoid downtime.
2. Domain Expiry — The Often Overlooked Deadline
Your domain name (for instance: mydomain.dk) registration also has an expiry date, independent from SSL certificates. If the domain expires, your entire website becomes unreachable, no matter how valid your certificates are.
Domains are usually registered for 1 year but can be extended longer. Keep track of renewal dates to avoid service interruptions.
3. Why Do Multiple SSL Expiry Dates Appear for One Domain?
You might see several SSL certificates with different expiry dates for the same domain. This is normal due to:
- Certificate rotation: New certs issued before old ones expire to allow seamless transition.
- Multiple servers or load balancers: Each may have its own cert.
- Different certs for subdomains or services: Email, APIs, and main site might use separate certs.
Your browser only sees the certificate presented by the server it connects to.
4. Common Issues & Troubleshooting
- Old cert still served: Sometimes servers or load balancers aren’t updated properly, causing expired certs to still be presented.
- Mismatch between domain and cert: If the cert does not cover the requested domain or subdomain, you’ll get warnings.
- Domain expiry unnoticed: Even with valid SSL, an expired domain means no access.
Practical Example
A customer reported login issues due to an expired SSL cert dated 19/7, but automated checks showed a cert expiring 10/8. This often means some servers or proxies still serve the old cert. Fixing requires verifying cert deployment across all servers and proxies.
Best Practices
- Automate SSL certificate renewal with tools like Certbot.
- Monitor both SSL expiry and domain registration dates with scripts or services.
- Ensure all servers, proxies, and CDNs are updated with the newest certificates.
- Use multi-factor alerts for domain expiry to avoid service loss.