Certificate expiry is still one of the most common causes of unplanned outages. At scale — dozens or hundreds of certificates across applications, load balancers and APIs — manual certificate management is unacceptable. Here is how to automate it properly.
1 The Certificate Expiry Problem
A forgotten certificate expiry brought down the Microsoft Teams mobile app for hours in 2020, affecting millions of users. In India, RBI has issued guidelines requiring certificate lifecycle management as part of IT risk frameworks. Yet most organisations still manage certificates via spreadsheets and calendar reminders. The solution is automating issuance, renewal and deployment.
2 Let's Encrypt and ACME Protocol
Let's Encrypt has eliminated the cost argument against automated certificate management. The ACME protocol (RFC 8555) enables automated issuance and renewal. Certbot handles most Linux deployments. For DNS-01 challenges (required for wildcard certs), configure your DNS provider's API with Certbot's DNS plugins. Set up auto-renewal with a systemd timer or cron job that runs twice daily.
3 Certificate Management at Scale with Vault
HashiCorp Vault's PKI secrets engine is the enterprise approach to internal certificate management. Vault acts as an intermediate CA, issuing short-lived certificates (24–72 hours) to services via the ACME interface or API. Short-lived certificates eliminate the revocation problem entirely — if a certificate is compromised, it expires before it can be meaningfully abused.
4 cert-manager for Kubernetes
cert-manager is the standard Kubernetes operator for certificate lifecycle management. Deploy cert-manager, configure a ClusterIssuer pointing to Let's Encrypt or your internal CA, and annotate your Ingress resources with the issuer. cert-manager automatically handles issuance, storage in Kubernetes Secrets and renewal 30 days before expiry. This completely removes human intervention from certificate management for containerised workloads.
5 Monitoring and Alerting
Even with automation, monitoring certificate expiry is essential for certificates outside the automated scope. Prometheus ssl_exporter or Blackbox Exporter with probe_ssl_earliest_cert_expiry metric gives you a dashboard of all certificate expiry times. Alert at 30 days, 14 days and 7 days. For external certificates, services like Certificate Transparency logs give you visibility into every certificate issued for your domain.