c6ecd2d8 image

Keep your certificates young and fresh

Imagine my surprise this am to find a post on LinkedIn, with their shortener, inaccessible. It turns out the TLS certificate expired this am for linkd.in. Hmm.

This is a general problem, and one for which some great solutions exist. E.g. using Let’s Encrypt, we can use CertManager to auto-create/refresh. There are tools to watch the expiry date as well.

When good certificates go bad it trains users to ‘accept’ the error (curl -k, accept in browser, etc). This is not acceptable, users should see a NET:ERR_CERT_DATE_INVALID as a hard-fail, not as a “oh, security, we’ll yada yada that”.