# Keep your certificates young and fresh

Imagine my surprise this am to find a post on LinkedIn, with their shortener, inaccessible. It turns out the TLS certificate expired this am for [linkd.in](https://lnkd.in/gB4KiRR). Hmm.

This is a general problem, and one for which some great solutions exist. E.g. using [Let's Encrypt](https://letsencrypt.org/), we can use [CertManager](https://github.com/jetstack/cert-manager) to auto-create/refresh. There are tools to watch the expiry date as well.

When good certificates go bad it trains users to 'accept' the error (curl -k, accept in browser, etc). This is not acceptable, users should see a NET:ERR\_CERT\_DATE\_INVALID as a hard-fail, not as a "oh, security, we'll yada yada that".

![](https://www.agilicus.com/www/2019/05/c6ecd2d8-image.png)