Certificate Lifecycle
Best practices for managing certificates from request to renewal to revocation.
Phases
1. Request
Generate a CSR with the correct subject information and SANs. Ensure the private key is generated securely.
2. Issue
Submit the CSR to a CA and complete validation. Receive the signed certificate.
3. Install
Install the certificate on your server with the corresponding private key. Configure your web server to use it.
4. Monitor
Continuously monitor certificate expiration dates, OCSP status, and configuration.
5. Renew
Renew certificates before expiration (typically 30-60 days before). Automate renewal when possible.
6. Revoke
Revoke certificates if compromised, no longer needed, or if private keys are lost.
Checklists
Before go-live
- Verify certificate is installed correctly
- Test TLS handshake and cipher suite negotiation
- Check certificate chain is complete
- Verify SANs include all required domains
- Test OCSP stapling (if enabled)
- Run SSL Labs test and achieve A or A+ rating
Monthly checks
- Review certificate expiration dates
- Check for certificate warnings in logs
- Verify OCSP responder is accessible
- Review TLS configuration for any changes
60 days before expiry
- Generate new CSR if needed
- Submit renewal request to CA
- Test new certificate in staging
- Plan deployment window for certificate update
- Set up automated renewal if not already configured
Best Practices & Common Mistakes
| Activity | Best Practice | Common Mistakes |
|---|---|---|
| Key Generation | Use RSA 2048+ or ECDSA P-256+, generate on the server | Using weak key sizes, sharing private keys |
| CSR Creation | Include all domains in SANs, verify before submission | Only using CN, forgetting wildcards |
| Installation | Test in staging first, verify chain completeness | Missing intermediate certificates |
| Renewal | Automate renewal, renew 30-60 days early | Waiting until last minute, manual renewal |
| Monitoring | Set up alerts, use monitoring tools | No monitoring, relying on memory |