"There's not much you can do to protect yourself against a service provider's certificate expiring,"
Well if you're a large bank or a heavyweight payment processor where an outage means lost $$$$ and not only $, you could easily have a few SSL certs from various root certs ready and roll one of them out once the sh*t hits the fan.
2) indeed have a backup certificate ready (might be non EV), this is especially a must if you use HSTS [1] (which you should use BTW) it is actually a (low priority) government recommendation (B5-6) in The Netherlands [2], but that might have something to do with the government heavily using DigiNotar which got compromised and had it root certificates revoked by Microsoft which caused some communication issues..
If you want to verify the complete chain or see if any of it is expired, I wrote some tools that'll do just that. It uses a pre-existing directory of CA certs (which you can generate with an included Makefile and cacert.pem) and downloads intermediaries.
That's basically what Stripe ended up doing. They stopped returning their EV certificates and started returning their non-EV wildcard '*.stripe.com' certificate.
Just make a monthly recurring entry in your calendar that says "Check SSL certificates".
If you rely on your calendar, it's simpler to create an entry in your calender for changing the certificate a few days prior to its expiration date. Monthly reminders will be ignored too easily.
> This is easy. Just make a monthly recurring entry in your calendar that says "Check SSL certificates".
I was honestly expecting them to reference a monitoring service. It is possible to do for free with Nagios if you have a Linux box kicking around on your network. There are also paid services who will monitor your certificates and send you a nice email when there is 30 days left to renew (including several SSL registers).
You need to automate it if you have more than 1 site. If you have just one site, you can just check the expiry date and put that in your calendar. No need to check it on a monthly basis, no clue why the author of the post would suggest that.
I don't use it for this, but the Vigil App (iOS) will monitor and report SSL errors. It's a pretty basic app, but it is also set-it-and-forget-it easy.
If you want to be notified when your SSL certificates are about the expire, or when there's something wrong with them, I'm building a SaaS that will keep track of these things for you:
You can also configure alerts to be sent when domains and SSL certificates expire using Expiration Reminder. We already have customers using it specifically for SSLs:
All the certificate providers I've used get pretty insistent about renewing certs (given the huge cash-cow it is for them), I'm surprised this is a very common issue.
slightly off topic:
i wonder why google (or mozilla) do not add something like a "less secure" root CA service where everybody can get a ssl cert for free (after showing control over the domain).
this would degrade the annoying message to a simple warning and probably make lots of hobbyist websites use only ssl.
(if you have to choose between annoy your user or just using plain http i guess many choose the later.)
StartSSL is great. I'm able to role and go live with SSL certs, now i've written down the process, in less than half an hour, with checking and all other stuff involved.
I'm intrigued to know how the process for a 8$ cert is different to that of a basic free StartSSL cert. The last paid for certificate I got was a year ago, and getting a StartSSL certificate is just as streamlined a process as the paid one. The only thing I can think of is if you are talking about certificates with wild-card matching, which will save time on the individual certificates you have to get when free. But for $8, is it possible to get a wild-card matching one?
Setting up your own CA is fine for certificates that will only be used internally, but anything customer facing needs a customer issuing certificate (unless you're a large enough company that can afford to get a certificate that allows you to sign new certs.)
Well if you're a large bank or a heavyweight payment processor where an outage means lost $$$$ and not only $, you could easily have a few SSL certs from various root certs ready and roll one of them out once the sh*t hits the fan.