“Warning: Potential security risk ahead.” Learn everything about the costly consequences of a simple oversight that could take your company into a breach of disaster. Discover how to keep your data safe and never miss a PKI certificate expiration date again

81%. This is the percentage of organizations that experienced multiple outages due to ‘security certificate expired’ issues from 2020 to 2022, according to recent research from the Ponemon Institute.

Every day, millions of security certificates expire. The majority are renewed on time, so, typically, no one notices it. However, from time to time, one certificate slips through the cracks and that’s when the problems start. One recent example was the 11-hour outage of Megaphone in June 2022 that was caused by Spotify forgetting to renew its SSL/TLS certificate. Other examples of similar incidents involving expired certificates include LinkedIn, Microsoft Exchange Admin portal, and Teams.

Do you want to be one of those businesses that manage their security certificates like pros? Discover what an expired certificate can mean for you, your users, and your customers. Get ahead of the problem — know the risks and learn how to prevent them in the first place.

What Does ‘Security Certificate Expired’ Mean?

Security certificates are a bit like butterflies: they’re great, but they have relatively short lifespans. This is because every digital certificate is assigned an expiration date. Depending on the certificate, the validity period can vary:

Once their validity period gets to an end and you forget to renew them, that’s when you and your customers will see the ‘security certificate expired’ message. Because, unlike your Netflix subscription, security certificates don’t auto-renew themselves.

Graphic for the article "What Does 'Security Certificate Expired' Mean?" A screenshot of the Firefox warning message "Warning: Potential Security Risk Ahead"
Image source: badssl.com. The screenshot shows an example of a typical warning message a customer using the Firefox browser would visualize when your website has an SSL/TLS expired certificate. 

But why are certificates issued with expiration dates? Why can’t we have certificates with a longer life span or that last forever? That would be great, right? Not really. Sure, not having to worry about expiring certificates would be convenient, but your security will pay the price. Why?

  • Each certificate’s validity period is based on the recommendations made by the CA/Browser Forum (the industry’s governing body) to protect users’ and customers’ information.
  • Secondly, while strong encryption (certificates are based on that) can last for a long time without being breached, other key parts of the certificate might not have such a long life.

Let’s consider the SSL/TLS certificate as an example. This type of digital certificate enables every customer or user going to your website to verify the identity of the organization behind it, thus confirming that the website is legit and safe. How? By viewing some specific details included in the certificate like the information about the certificate authority (CA) who issued it, and about your organization that it was issued to.

A screenshot of the PKI certificate information for the SSL/TLS certificate for Citi Group, Inc.
Image caption: A screenshot that shows the verified organizational information for Citi Group, Inc. on the Citi Bank’s SSL/TLS certificate.

But what if, after a few years, something important changed due to an acquisition (the name, owner, business type, etc.)? What if your business is so successful that from a sole proprietorship it’s changed into a corporation? If the certificate wouldn’t expire, it’d validate outdated information, giving attackers an easy way to exploit the certificate containing the incorrect information. This is just one example of why carefully tracking and managing certificate expirations, despite being annoying and difficult to manage, is important.

It’s a bit like your passport. To make sure that the information on it is still accurate, you have to renew it from time to time. Can you imagine checking in for a flight when you’re 40 years old using a passport with a picture taken when you were sixteen? No matter how young you actually look (which I’m sure you do), I bet the official at Transport Security Administration (TSA) will have a bit of a hard time recognizing you there.

Of course, managing your keys and certificates is also important because you have to ensure that the keys remain secure. If they fall into the wrong hands, it’s game over for your certificate and open season on your organization for cybercriminals.

What Happens When a Security Certificate Expires?

If you renew it before its expiration date, nothing. Your website is still secure, and your customers and users have access to it without issues. Business as usual, basically. But if you forget to renew your certificate and allow it to expire, that’s another matter entirely. You can end up with a few users being unable to access a website or a service or, in the worst-case scenario, it can cause a service disruption impacting millions of users.

You don’t believe it? Twitter has several examples with the hashtag #ExpiredCertificate. Here’s one such example:

A Twitter post screenshot from CeptBiro about an outage due to an expired PKI certificate
Image source: CeptBiro’s Twitter. An example of a tweet about an expired certificate. This wouldn’t look good on your organization’s records, right? 

So, what are the consequences when an SLL/TLS certificate, a code signing certificate, or an email certificate expires? It depends. Let’s check them out one by one.

Certificate TypeConsequences of an Expired Certificate For the Certificate OwnerConsequences of an Expired Certificate For Your Customers and Other Users
SSL/TLS CertificateLoss of customer trust. Loss of revenue and sales. Brand and reputation damage. Higher risks of attacks.Warning error messages. Sensitive data can be stolen or modified in transit. Inability to use a service or a website.
Code Signing CertificateMalware being signed in your name. Reputational harm that can result in reduced numbers of downloads. Your application no longer being trusted.Risk of malware infection. Scary warning messages. Credential or sensitive information theft.
Email Signing CertificateEmails will be sent unencrypted and unsigned. Your organization won’t be compliant with privacy regulations. Cybercriminals can pretend to be you.Warning message. Phishing attacks. Leak of sensitive information.

SSL/TLS Certificates: What Does the ‘Security Certificate Expired’ Message Mean?

Letting an SSL/TSL certificate expire can have devastating effects on your organization and customers. That’s why you should never underestimate the impact that even one expired SSL/TLS certificate could have on your business.

A basic breakdown of how SSL/TLS certificates work relating to the SSL/TLS handshake process
Image caption: This screenshot shows a basic overview of how a valid SSL/TLS certificate works.

Let’s consider a certificate expiration incident that happened to Aruba Networks in June. Someone at the company forgot to renew the SSL/TLS certificate for their Feature Navigator website and didn’t notice something was wrong until a user informed them via Twitter on June 1. As a result, the website kept on showing the same warning at least until June 6. That’s not good for an organization’s reputation. But why did it take them so long to renew it? Because to renew a certificate, every organization has to go through the verification process again to ensure that the information on the certificate is still up to date.

A screenshot of a Twitter conversation between a user @D0OXE and @ArubaNetworks
Image source: Twitter DO9XE. In this case, a customer informed the company about the expired certificate.

Consequences For the Certificate Owner

Did you forget to renew your SSL/TLS certificate? These are the consequences:

Loss of Customer Trust

No valid certificate, no validation. Thus, all browsers will show your site as not secure in big, bold letters. It’s as simple as that. Yes, you might get a few users who won’t be scared by the warning message, but those will be the exception. The majority won’t trust you anymore if you don’t address the issue. So, don’t even think about them sharing their sensitive information and payment details. Forget it — they’ll be too afraid of leaks and data breaches.

The outcome? They’ll quickly move on to doing business with your competitors.

A screenshot of Chrome's "Your connection is not private" warning message
Image source: expired.badssl.com. This is another example of a typical warning message caused by an SSL/TLS expired certificate. This time the customer is using Chrome. He gets a slightly different message from the one shown at the beginning of this article, but it causes the same problem and loss of trust. 

Loss of Revenue and Sales

Data from a Baymard study shows that 18% of surveyed customers don’t complete their orders because they don’t trust the website with their credit card information. Baymard also discovered that customers’ perceptions of website security is largely determined by how visually secure the website looks. Do you want to keep on making money? Don’t jeopardize your customers’ shopping experience. Ensure that your website will never show a warning message due to an expired security certificate.

Brand and Reputation Damage

As mentioned at the beginning of this article, many big organizations have issues with expired security certificates. Some of them, sadly, more than once. While the majority manage to survive and limit the damage by investing loads of money in cleaning their image, what about smaller businesses? Throwing money at the problem isn’t always so easy for them to do.

As a customer, would you buy a new tablet from a website showing that warning messages we showed earlier? I don’t know about you, but if I see such a warning on a website, there’s no way I’d buy anything from it or return to that website. Ever. Not even to just browse around once the security certificate issue is fixed.

Higher Risks of Attacks

An expired certificate is like a door that doesn’t close properly or lock anymore. Everyone can see what’s happening on the other side of the door because it isn’t closed. And it’s a real feast for hackers. All information shared isn’t secure anymore and can be easily read by anyone. Or, even worse, cybercriminals can place themselves in the middle of the communication between the browser and the server (i.e., a man-in-the-middle attack). Posing as the website owner or a customer, cybercriminals can steal sensitive information or infect a target website, network or device with malware.

A basic illustration of how a man-in-the-middle (MitM) attack works
Image caption: The graphic shows an example of a man-in-the-middle attack.

What about your customers and users, though? What are the consequences for them?

Consequences For Your Customers and Other Users

Warning Error Messages

‘This connection is not private,’ ‘This site is not secure,’ or ‘Warning: Potential security risk ahead.’ These are the typical messages that your users or customers will immediately see when visiting your website if you forgot to renew its SSL/TLS certificate. What would you do as a user? You’d likely run away. That’s what the majority of customers do, too. 

Stolen Sensitive Information

As previously discussed, exploiting an expired security certificate is the low-hanging fruit for hackers. And once a customer’s credit card information or sensitive data is stolen because you forgot to renew your website certificate, all your efforts and hard work you put into your business will go down the drain. Stolen or even deleted, in an instant.

Inability to Use a Service or a Website

This is what happened in 2021 to Google Voice users worldwide. Due to an expired TLS certificate, customers were unable to make or receive voice-over-IP (VoIP) calls for more than four hours. Got an important conference call with your boss? Not possible. Do you need to call a customer to inform him that his delivery will be delayed? That’s not going to happen, either.

Can you see the magnitude of the impact that a single expired SSL/TLS certificate can have on your business now? And these are just a few examples. Find even more reasons to never miss to renew your SSL/TLS certificates in our article “What Would Happen If Your SSL Certificate Expired.” 

Code Signing Certificates: What Does ‘Security Certificate Expired’ Mean?

Windows 11 was released to the public on Oct. 5, 2021. On Halloween of the same year, some features (including the Windows emoji panel, Snipping Tool, and the touch keyboard) failed to load due to an expired code signing certificate. Of course, the issue made it all over the tech news. That wasn’t really the best start for Microsoft’s new operating system, was it?

So, what kind of impact would have an expired code signing certificate on organizations and customers?

Consequences of Using an Expired Code Signing Certificate For You as the Certificate Owner

In addition to the points listed above referring to website certificates, an expired code signing certificate could cause:

Malware Being Signed in Your Name

An attacker could use an expired code signing certificate to sign malicious software. This is what happened recently with the NVIDIA data breach. The hackers used two old code signing certificates that expired in 2014 and 2018 and used them to sign malicious codes. How did they do that? They took advantage of the fact that expired code signing certificates can still be used to sign some types of Microsoft drivers.

Imagine what would happen if one of your employees installed infected code, or if malicious code was uploaded on your website or on third-party sites posing as genuine applications developed by your organizations. Without a way for customers to see whether the software legitimately came from you and hasn’t been altered, the damage could be immense.

Reduced Number of Downloads

When a code signing certificate expires, the user will get a warning message during the download or installation of software that hasn’t been timestamped. Would you install an app or software when your browser or operating system is telling you that there’s something wrong with it? Of course not.

Your Application Is No Longer Trusted

Have you ever seen the warning message below? That’s an example of what all your users and customers will see when downloading your windows application when its code signing certificate is expired. All major browsers and antivirus will also flag the application as untrusted.

what does security certificate expired mean graphic: A screenshot of the Windows Defender SmartScreen warning message for an Unknown Publisher
Image caption: This is Microsoft SmartScreen’s warning message that’ll come up every time a customer will download an application or an executable with an expired code signing certificate.

Otherwise, your users will likely see similar Windows User Access Control (UAC) warning messages indicating that the software is unknown and, therefore, shouldn’t be trusted:

A side-by-side comparison of the User Account Control (UAC) messages that display for unsigned software and digitally signed software
Image caption: A set of screenshots showing the difference between an app digitally signed by a verified publisher (right) versus one not digitally signed (the one on the right that has an unknown publisher warning).

Consequences of Using an Expired Code Signing Certificate For Your Users

  • Risk of infection. Tricking a user into downloading a malicious driver by signing it with an expired code signing certificate isn’t too difficult. Above all, if the cybercriminal manages to upload it on a fake website that’s designed to look like a legitimate site. And with more than 46,000 phishing URLs identified by Vadesecure in Q1 2022, the risk of infection looks pretty high.
  • Warning message. Like with SSL/TLS certificates, when downloading or installing a code with an expired certificate, the Windows user will see the warning message shown in the screenshot above. Do I need to say more? The sentence ‘Running this app could put your PC at risk’ says it all.
  • Credential or sensitive information theft. This can be the aftermath of downloading an infected application or software we talked about before. A trojan, spyware, or keylogger is injected by the hacker into the application downloaded by the user. If this happens, it’s game over. The attacker can now steal the user’s passwords, IDs, banking details, you name it.
A basic illustration of how a keylogger attack works
Image caption: The graphic shows an example of what an attacker can do by exploiting your expired code signing certificate.

There we go. Now, you have enough reason to avoid forgetting to renew your code signing certificates. Last but not least, let’s explore what happens when an email signature expires. Will it have the same catastrophic impact? Let’s find it out!

Email Security Certificates: What Does ‘Security Certificate Expired’ Mean?

So, what does ‘security certificate expired’ mean with regard to email security? With an email signing (i.e., S/MIME – secure/multipurpose internet mail extensions) certificate, users can digitally sign and encrypt the content of their emails (attachments included) to:

  • Guarantee its authenticity
  • Offer assurance about the message’s integrity
  • Ensure that only the intended recipient will be able to view its content

How? The email is signed and encrypted by using the recipient’s public key. Once sent, the recipient’s email client will verify the digital signature is legitimate and decrypt the message automatically using the private key. Easy as a pie! But what happens when you send an email and your certificate is expired?

A comparison set of two screenshots that show a digitally signed email versus an email that's signed by an email signing certificate that expired
Image caption: A stacked set of screenshots that shows the difference between what displays for a valid email signature (top half of the image) versus an invalid or expired email signature (bottom half of the image).
An example of digital signatures that are valid and invalid
Image caption: A side-by-side comparison set of screenshots that showcases what your users see when they click on the email signature information in Outlook to learn more about the signing digital certificate. The left half of the graphic shows the digital signature information for a valid email signing certificate. The right half shows an invalid or expired email signing certificate’s digital signature information.
Another side-by-side comparison of certificate properties of a valid certificate versus an invalid (expired) certificate
Image caption: A side-by-side comparison window that shows additional information about the email signing certificate. One the left, it shows a valid email digital signature; on the right, it shows an expired, now-invalid digital signature.

Consequences For the Certificate Owner

Now, let’s think of what all of this means as we answer the question “what does security certificate expired” mean in the context of email security?

  • Emails will be sent unencrypted. This means that any third party intercepting the emails will be able to read them, attachments included. He could also alter the content of the email before it reaches the recipient. How? Two potential methods are 1) adding an infected attachment to it, or 2) by changing the content of the message. Neither of these options is good, especially if you’re sending your customer’s sensitive information or if the email includes a strictly confidential presentation.
  • Your organization won’t be compliant with privacy regulations. Nowadays, virtually every business, small or big, handles sensitive information in one form or another. If you fail to meet industry or regional regulatory requirements, you’ll risk facing hefty fines and potential lawsuits. Email encryption helps organizations to protect that kind of information as required by many regulations, including:
  • Cybercriminals can pretend to be you. Without the digital signature capabilities offered by using a valid email signing certificate, your recipients will no longer have a verifiable way to differentiate your emails from cybercriminals impersonating you. They can do this to trick recipients into thinking that they’re really coming from you (i.e., email spoofing).  

Consequences For the Users

Displays Unsettling Warning Messages

Let’s say you sent an email to one of your customers and, a few minutes later, its signing certificate expires. If the recipient opens the email after the certificate’s expiration, if it isn’t timestamped, the email client won’t trust it and will display an error message. The recipient will still be able to read your email because it won’t be encrypted. However, they’ll will be warned that the signature isn’t valid. The same will happen when trying to reply to the email.

Can Be Used to Carry Out Phishing Attacks

Do you remember when we talked about email spoofing a few moments ago? Now, imagine that a customer receives a spoofed message and thinks that the email is from you, a brand they trust. In the email, the hacker asks the recipient to click on a link to a fraudulent website very similar to yours and confirm their credit card payment details. The customer, thinking that the email is genuine, follows the instruction and the damage is done. Do you think this customer will ever trust your brand again? Not likely, as highlighted by Axway’s Global Consumer Survey results.

A graphic for the article "What Does 'Security Certificate Expired' Mean?": A basic illustration of a phishing attack
Image caption: The graphic shows an example of a phishing attack.

Leak of Sensitive Information.

Once the email isn’t encrypted, everyone has access to its content. And if the email’s body includes some sensitive information (e.g., bank account details, usernames, passwords, health information) a malicious third party could easily get hold of it and use it to his advantage.

Now that you have a better idea of the often catastrophic consequences of forgetting to renew an expired security certificate, let’s see a few tips that’ll help you avoid you saying, in the words of a famous Britney Spears song, “Oops!…I did it again.”

How Can I Avoid Letting My Security Certificates Expire?

Tired of getting to the office in the morning and seeing the ‘This connection is not private’ warning popping up on your organization’s website? Do you want to stop receiving customers’ complaints about one of your applications showing the “Publisher Unknown” warning message during download or installation? End the misery now by implementing the following tips.

Use a Certificate Lifecycle Management Solution (CLM)

A certificate manager is a tool that virtually allows you to set-it-and-forget-it when it comes to managing your PKI digital certificates. In other words, a reliable CLM allows you to automate many certificate management tasks and manage them in a single tool. There are tons of solutions and tools out there you can choose from, depending on your needs and the number of certificates you’ll have to manage. Pick one, install it, and let it do the work from a to z — everything from certificate requests to provisioning and, of course, renewals.

Pay Attention to CA Notifications

You can’t afford a CLM? No problem, keeping an eye on the emails you’ll receive from the certificates’ issuing CAs. This method doesn’t cost you a dime but does require you to pay close attention to your inbox. It doesn’t matter what CA issued your certificates; they’ll all send you several expiration notification emails well before the certificate’s expiration date. All you have to do is:

  • Ensure that the reminders are sent to the right people. This includes system admins, developers in case of code signing certificates, IT managers, etc. You can even create a specific distribution list that includes these specific individuals.
  • Remember to review your email contacts from time to time and update if necessary. People move on, get sick, and go on holiday. Things change and you don’t want the email to end up in a black hole. Keep your list of responsible parties up to date by maintaining a current list of users and permissions.

Avoid Using Spreadsheets and Other Manual Tracking Methods

I know, sometimes money can be tight. However, being among that 42% of organizations identified by the Ponemon Institute still using spreadsheets to manually track certificates isn’t a good idea. Sure, you may save money on the front end, but it can cost you dearly later in case of a data breach or loss in sales because of an expired certificate.

One of the organizations I was working for was a big fan of “homemade” solutions. Don’t get me wrong, I love homemade when talking about biscuits, cakes, and food in general. But in cybersecurity, “homemade” solutions have always ended up creating more problems than benefits.

Limit the Usage of Self-Signed or Wildcard Certificates

Self-Signed Certificates

First and foremost, self-signed certificates should only be used internally (e.g., for internal testing); never use them to sign applications or exe that’ll be available to download to the public. OK, I know you’re a conscious developer, and you don’t do that. However, you have to remember that those certificates can still be exploited by cybercriminals to spread malware within your organization.

Wildcard Certificates

These certificates are incredibly handy as they can secure multiple subdomains (e.g., *yourorganization.com can be used for faq.yourorganization.com, blog.yourorganization.com, products.yourorganization.com, and so on) and save you money. However, the National Security Agency (NSA) raised a warning about their dangers, saying they are vulnerable to attacks. This is, in part, because when the certificate expires, you’ll have to update the private key on all servers using the certificate.

That’s a significant amount of work that’ll cost you time and money when doing this manually. Thankfully, the same NSA offers some risk mitigation strategies — one of which is to carefully manage your wildcard certificates and keys. This is where using a certificate lifecycle management solution can help.

Use Time Stamping

More than a solution, timestamping is a temporary workaround that can help you gain a bit of time in case you did forget to renew your code signing certificate.

Adding time stamping to your code signing certificate will enable you to give a kind of “longest life” to the codes you’ll sign with that certificate. When a customer downloads that code, even if the code signing certificate itself is now expired, they won’t see any alerts and will be able to download and install the code without issues. This is because the timestamp attests that the software was signed when the certificate was still valid.

Why? Because the customer’s device, to validate the code will check the signature based on the time it was signed (i.e., time stamping) instead of using the actual date. Beware, though: this is a temporary solution as you won’t be able to use the certificate to sign any new code or application with the exception of a few Microsoft drivers. It’s expired, remember?

Final Toughs on What ‘Security Certificate Expired’ Means

Email certificates, code signing certificates, SSL/TLS certificates. Even small organizations have so many security certificates to manage nowadays that it’s easy to forget to renew or replace one.

And one expired certificate is enough to:

  • Drive away customers from your website,
  • Negatively impact the customers’ trust in your brand or, even worse,
  • Expose your entire organization to vulnerabilities and enable attackers to decrypt sensitive information.

Now that you are familiar with the risks, ensure an effective certificate management strategy is in place. Automation is the key. Many tools are out there that can help you and your team to stay on top of your collection of PKI certificates — as such, there’s no good reason left to stick to manual tracking.

Yes, certificates will keep on expiring. However, you now have the knowledge to make sure you don’t miss any certificate expiration date anymore. You can do it!


Welcome to Savvy Security, a blog focused on providing practical cybersecurity advice for website owners and small businesses. Our team brings you the latest news, best practices and tips you can use to protect your business...without a multi-million dollar budget or 24/7 security teams.