Relying on an email from your SSL provider isn’t enough.
Getting an SSL certificate is the easy part. Maintaining it and making sure it is used correctly takes a little work.
Do you know where your website’s SSL certificate was purchased? Do you know who purchased it? Where the private key, certificate signing request, and public keys are? Who the issuer is or which certificate authority is at the top of the chain? The answer for a lot of people is “No”, and that can be a problem.
Whether you’re using a managed website service or rolling your own websites and services, having an expired or improperly configured certificate and not having answers to those questions is bad.
Here are some things to think about:
Your SSL certificate provider may not tell you when your certificate is going to expire!
Some sellers just stick to selling and issuing certificates, not notifying users when they need to renew. This is especially the case for some resellers that aren’t actually issuing the certificates themselves.
Let’s Encrypt is a great example too. Although you can quickly and easily get a free SSL certificate, it will expire after a relatively short period of time and you won’t get any kind of notification.
Your SSL certificate provider may not be able to reach the right person at the right time!
Even if your provider does try to contact you, there are a lot of ways that it can go wrong.
From our experience, they are most likely messaging the wrong person. If the certificate was purchased by another department or person, those emails could be going nowhere.
Your SSL certificate provider doesn’t know how you are actually using your SSL certificate!
You’ve got a great new SSL certificate and want to make sure it is widely used and your users are safely connecting to your website and services. Whether or not your on a bare domain (sslhound.com), have multiple subdomains (www.sslhound.com and status.sslhound.com), or have a wildcard certificate that covers any number of subdomains (*.sslhound.com), all of those endpoints can and will expire.
Your SSL certificate provider just doesn’t know what you’re doing with it, and let’s face it, sometimes things fall through the cracks.
Your SSL certificate provider may issue multiple certificates for the same base domain.
One limitation of SSL certificates is that they do not support double wildcards like “*.*.sslhound.com”. Sometimes, multiple certificates are issued and installed for specific subdomain wildcards and SAN entries.
Let’s Encrypt also issues multiple certificates by design. For example, if you inspect the SSL certificates for www.sslhound.com and status.sslhound.com. you’ll see that two different certificates have been issued by the Let’s Encrypt certificate authority.
The solutions to these questions is what lead to the creation of SSL Hound. Simply put, using SSL Hound and following our best practices takes a lot of risk and headache around having safe and secure websites and services.