Hey everyone! I'm looking to gather insights on how different teams manage expirations for various time-sensitive assets, such as TLS certificates, API keys, licenses, and contracts. Although it seems straightforward in theory, I've encountered serious issues in practice, like outages and last-minute panic due to expired items that went unnoticed.
During my time in DevOps and SRE roles, I've noticed some common pitfalls, including ineffective use of spreadsheets, neglected shared calendars, ignored reminder emails, and lack of clear ownership.
So, I want to ask: How do you manage this in your organization? Some specific things I'm curious about include:
- Where do you keep expiration information? Code, CMDB, a wiki, a spreadsheet, or somewhere else?
- Do you track ownership explicitly, or is it more implicit?
- How far in advance do you send alerts about upcoming expirations?
- Is expiration management tied into your incident response or ticketing system?
- And what common issues have you simply learned to live with?
Additionally, how does this scale when dealing with multiple teams, cloud providers, or compliance audits? If you've faced any failures due to expirations, I'd love to hear your stories and how you adjusted your processes afterwards.
For context, I'm a DevOps engineer who, after facing these challenges, developed a small tool to aid in managing expiration lifecycles. I'm keen to learn from your experiences!
5 Answers
For our Azure environment, I wrote a Powershell script that checks for expiring certs and secrets, sending out warning emails well in advance. It ensures that the app owners stay informed and allows our ops team to manage potential issues effectively.
One approach we took is to minimize the expiration time so there's less room for human error, which made us focus more on automation.
Yeah, I tried that too! But some licenses still end up expiring based on "business days and human approvals", which can complicate things.
Honestly, if you’re in 2026 and you miss a domain registration or TLS cert expiration, you really didn’t take advantage of automation. Today, that stuff should be set to run automatically.
I agree automation helps a great deal, but not all environments are fully modernized, especially when dealing with legacy systems that don’t allow for easy automation.
We’ve switched to managing expirations more closely with the actual assets, avoiding spreadsheets altogether. Using tools like Verdent has been useful for tracking ownership and expiration dates.
What exactly is Verdent? I haven't heard of that before.
In our setup, we utilize a module in our CMDB that automatically scans for certs and sends alerts 30 days before any expiration. We're also in the process of building a Certificate Lifecycle Management program that includes self-service and automation options.
That's interesting! We followed a similar path – starting with cert scanning and ownership tied to applications, but eventually, it became essential to have an all-encompassing inventory system for everything with an expiration.
That sounds like a solid setup! Can you share that script? It could really help in similar situations I’m facing.