Certificate Validity

Certificate Validity is the cliff edge of TLS hygiene. An expired cert is a hard outage: every modern browser blocks the page with a full-screen warning, mobile apps refuse the API call, and your real users cannot reach you. The check measures days remaining until expiry on each primary HTTPS host's served certificate and scores in three tiers: comfortable margin, renewal window, and immediate problem.

How the check works

RedScore performs a verified TLS handshake to each primary HTTPS host and reads the certificate's notAfter date. Days to expiry maps to points:

• 30 or more days to expiry: 12/12 pts.
• 7 to 30 days to expiry: 6/12 pts (renewal window; automate or schedule renewal).
• Under 7 days, or expired: 0/12 pts. The host is also flagged as critical_tls in the parent rollup.
• Days-to-expiry not parseable from the cert: 6/12 pts (conservative fallback).
• Not HTTPS or TLS handshake failed: 0/12 pts.

How the verdict maps to evidence

• Pass (12/12 per host): cert has 30+ days remaining.
• Partial (6/12 per host): cert in the renewal window (7-30 days), or days-to-expiry could not be parsed.
• Fail (0/12 per host): cert expired, under 7 days remaining, or no successful TLS handshake.

Fix: automate renewal, do not rely on calendar reminders

Manually-renewed certs miss renewal and produce outages. The fix is to use an automated issuance pipeline (ACME or your provider's equivalent) that renews well before the cliff. Modern Let's Encrypt certs are 90-day; ACME clients renew at the 30-day mark by default, well above the warn threshold.

Managed platforms (zero-config)

If your host runs on Vercel, Netlify, Cloudflare Pages, Render, Fly.io, Heroku, App Engine, or similar, certs renew automatically. The only way to fail this check on a managed platform is if a custom domain was misconfigured or DNS no longer points at the platform; check the platform dashboard for issuance errors.

CDN front door

• Cloudflare: Universal SSL certs renew automatically. Advanced Certificate Manager (paid) gives you per-cert lifecycle visibility.
• AWS CloudFront with ACM: ACM certs in us-east-1 attached to CloudFront renew automatically as long as DNS validation records remain in place. Watch for ACM "PENDING_VALIDATION" status; that means the renewal is stuck on a missing DNS record.
• Fastly, Akamai: managed TLS renews automatically; verify the contract covers it.

Self-hosted with ACME

Use an ACME client and a 90-day issuance cadence with auto-renewal at 30 days. The clients ship with cron or systemd timers configured.

# Initial issuance
sudo certbot --nginx -d yourdomain.tld -d www.yourdomain.tld

# Renewal is auto-installed as a systemd timer or cron job.
# Verify it runs:
sudo systemctl list-timers | grep certbot
# or:
sudo crontab -l | grep certbot

# Manual dry-run to confirm renewal works without touching the live cert:
sudo certbot renew --dry-run

# Caddy issues and renews automatically. No flags or cron needed.
# Just put the hostname in the Caddyfile:
yourdomain.tld {
    reverse_proxy localhost:8080
}

# In traefik.yml or static config:
certificatesResolvers:
  letsencrypt:
    acme:
      email: ops@yourdomain.tld
      storage: /etc/traefik/acme.json
      httpChallenge:
        entryPoint: web

# Renewal is automatic; just attach the resolver to a router.

# Initial issuance against Let's Encrypt
acme.sh --issue --domain yourdomain.tld --webroot /var/www/html

# acme.sh installs a daily cron job during initial setup;
# verify with:
acme.sh --list

Self-hosted commercial CA

If you must use a commercial CA (DigiCert, Sectigo, GlobalSign, etc.), most now offer ACME or REST-API automation. Manual annual renewal is a lifecycle bug waiting to happen; insist on automation in the contract.

Monitoring renewal

Automation can fail silently. Monitor cert expiry independently of the issuance pipeline:

• Uptime monitoring with cert-expiry alerts: Pingdom, UptimeRobot, Datadog Synthetics, Better Stack all have a TLS-expiry watcher.
• Self-hosted: Prometheus + blackbox_exporter exposes probe_ssl_earliest_cert_expiry; alert when it drops below your threshold.
• Email reminders from your CA. Let's Encrypt sends expiry warnings to the email registered with your account; do not rely on this alone but it is a useful backstop.

Verify the fix

• openssl s_client -connect yourdomain.tld:443 -servername yourdomain.tld < /dev/null 2>/dev/null | openssl x509 -noout -dates shows the cert's notBefore and notAfter dates.
• echo | openssl s_client -connect yourdomain.tld:443 -servername yourdomain.tld 2>/dev/null | openssl x509 -noout -checkend 2592000 returns success if the cert has more than 30 days (2592000 seconds) remaining.
• ssllabs.com/ssltest reports the full cert chain and validity windows.
• Run your ACME renewal dry-run regularly so you catch broken validation paths before they expire your cert.
• Re-run the RedScore lookup. Pass requires every primary HTTPS host's cert to have 30+ days remaining.

Common pitfalls

• Manual renewal on a calendar reminder. Sooner or later, the person on the rotation forgets, leaves the team, or misses the alert. Automate.
• ACME validation broken. If you serve HTTP-01 challenges from a path your CDN intercepts, or if DNS-01 challenges depend on a key that has been rotated, the renewal silently fails. Run --dry-run periodically.
• Cert renewed at the right host but old cert still served. Reverse proxies, load balancers, and Kubernetes ingress controllers cache certs in memory; reload or restart after renewal. cert-manager and similar Kubernetes operators handle this; bare configurations may not.
• Renewal works but only one host serves the new cert. Multi-host setups (web cluster, multiple ingress nodes) need the renewed cert distributed everywhere. Most ACME-aware orchestrators handle this; manual setups need a sync step.
• ACME account email out of date. Renewal failure notifications go to the email on file. If that mailbox no longer exists, you lose the warning.
• Wildcard cert with one renewal point of failure. A wildcard cert covers many hosts but lives at one issuance point; if the renewal pipeline breaks, every covered host expires together. Have a working backup path (manual issuance to a backup account) for high-stakes wildcards.