Certificate expiry risk

A leaf or intermediate certificate that is already expired, or close to expiry, creates avoidable outage pressure. Renew it before clients start failing or operations fall into emergency replacement mode.

What this usually means

• Leaf certificate close to expiryThe public site certificate needs renewal and redeployment soon.
• Intermediate certificate close to expiryThe chain bundle may need to be updated along with the leaf, especially when a CA rotates intermediates.
• Already expired certificatePublic clients can fail immediately, depending on which certificate in the served chain has expired.

Fix path

• Managed platformsIf the endpoint uses ACM, Cloudflare managed certs, or another managed service, verify auto-renew is healthy and confirm the renewed certificate is actually deployed on the affected hostname.
• Self-managed web serversRequest or issue a replacement leaf certificate, update the full chain bundle, and reload the TLS terminator.
• Intermediate rolloverIf the CA changed intermediates, deploy the new issuer chain instead of reusing the old bundle.

Verify after change

• Re-run TLS AdvisorThe expiring certificate should no longer be highlighted and the new validity date should appear in the presented chain.
• Check every endpointIf the hostname resolves to multiple IPs or edges, make sure each one presents the renewed certificate.