We've recently faced issues with missed certificate renewals, and I'm looking to understand how different teams manage TLS and keystore certificate expirations across their environments. What strategies do you all use for tracking? Do you rely on scripts or cron jobs, manual tracking methods like Excel, or do you utilize vendor tools? What approaches have been effective for you, and what have you found painful?
5 Answers
For internal server and client certificates, we mostly automate using Auto Enrollment Group Policy. Public certificates should be automated wherever feasible, either through scripts or third-party tools like Certify The Web or Certkit. Any others typically require manual monitoring and renewal.
We use Zabbix for monitoring our infrastructure, and whenever we deploy new certificates, we integrate monitoring right into the scripts we’ve set up.
Honestly, using ACME along with host-based renewal and rebinding jobs is a solid practice. With certificate validity periods shrinking, it's essential to keep tabs on certificate usage. Rather than solely depending on certificate providers, I recommend generating inventories from your production systems periodically.
We rely heavily on automation. For server EKU certificates, we check them as part of our deployment pipeline and also do environment scans. We ensure that signing certificates are handled in the CI/CD pipeline.
We have a cron job that checks the expiry dates of certificates across our devices. It’s particularly useful for systems that don’t handle ACME or SCEP automation. The script uses LDAP tagging to keep track of which systems to check and the required ports.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures