Introducing the 2024 PKI & Digital Trust Report     | Download the Report

  • Home
  • Blog
  • Outages
  • Stop Expired Certificates and Start Preventing Certificate Outages

Stop Expired Certificates and Start Preventing Certificate Outages


SpaceX, Microsoft, and Spotify are just some of the companies that have experienced PR nightmares because of outages caused by expired certificates – and that’s just the tip of the outage iceberg. Plenty of outages go unreported, and according to Keyfactor’s annual State of Machine Identity report, 77% of organizations experience outages due to expired certificates.

Certificates play a crucial role in securing communication channels and ensuring data privacy. But as the number of certificates organizations use continues to grow, it becomes increasingly challenging to manage them effectively and realize when they expire.

More than half of organizations say that outages resulted in severe disruption to customer services. But with a prevention strategy, companies can proactively avoid these disruptions before they become a problem. Here we share a practical approach to stopping certificate-related outages so you can gain full visibility and take back control of your certificates.

Why expired certificates wreak havoc

Keyfactor customer EQ Bank was plagued by sudden outages caused by unknown and untracked expired certificates. Applications would stop working, and the bank would have to pull critical resources away from day-to-day tasks to remediate outages. 

Challenges with certificate-related outages are not limited to EQ Bank. At most companies, the problem is generally attributed to three factors:

  1. More certificates, less visibility: The volume of certificates issued within a company is rising, with an average of 256,000 certificates. And while more certificates for use cases are a good thing, it also signals less visibility into the environment. 
  2. Increasing complexity, decreasing control: Sixty-two percent of organizations don’t know exactly how many certificates they have. A company’s various teams may be using different tools and PKIs in their own way, amplifying complexity and limiting a company’s ability to oversee when certificates expire. 
  3. Shorter lifespans, bigger risks: In September 2020, the certificate lifespan was cut in half from 27 months to 13 months. Shorter lifespans must be managed more frequently, creating more work and risk for the teams involved and the entire organization.

A time-consuming recovery process impacts business

“It only takes one expired certificate to cause an outage, so it’s important to have complete coverage to have peace of mind that your applications aren’t going to go down,” said Sami Van Vliet, Principal Product Manager U.S. Product, Keyfactor.

Van Vliet advises that a good rule of thumb is that the number of places an expired certificate is used within a company will extend how long it will take to recover from that outage. Companies face an extensive timeline for righting the disruption involving identifying the expired certificate and all its installed locations, restarting services, provisioning certificates, and the list goes on.

It is a time-consuming process, and companies take more than four hours and 11 team members on average to identify, remediate, and recover from a certificate-related outage. 

But it doesn’t have to be that way. 

Companies that take preventative measures to stop outages before they interfere with the business will be rewarded with less costly downtime and minimized disruption.

Take back control of certificates with automation

With end-to-end visibility, certificate management, and lifecycle automation, companies can prevent certificate-related outages. Keyfactor suggests achieving this prevention trifecta by taking a crawl, walk, run approach. Begin with gaining visibility into the certificates across your CAs, networks, and devices. Identify where they live, who issued them, and when they expire.

Once you understand what is out there, you can move forward with actively managing and monitoring your certificate inventory. Do this by enforcing policies and setting renewal alerts to ensure end-users renew certificates before they expire. 

The last phase is to fully automate the certificate renewal and provisioning processes of every certificate on every machine. Automation reduces friction and risk so you can quickly identify and remediate expired certificates to stay ahead of unexpected outages.​

The crawl, walk, run approach helped EQ Bank solve its problem with outages caused by expired certificates. Using a combination of expiration alerting and automated renewal workflows, Keyfactor Command centralized visibility and significantly reduced the rate of human error. EQ Bank has not experienced a single certificate-related outage since running with Keyfactor Command.

To learn more about Keyfactor’s approach to preventing certificate-related outages, watch the on-demand webinar Crawl, Walk, Run – A Practical Approach to Preventing Certificate Outages.