← Back to Engineering Blog
πŸ—“οΈ Jun 20, 2016 ⏱️ 2 min read

SSL Certificate Hell: Preventing Unplanned Outages at Scale

A single expired wildcard SSL certificate took down 40 production web applications. Here is how we automated certificate lifecycle monitoring.

πŸŽ™οΈ Listen to Article READY
AI Audio Synthesis Narrator
Share Post:

β€œAt 8:00 AM on a Monday, 40 enterprise customer portals went down simultaneously with β€˜NET::ERR_CERT_DATE_INVALID’. A wildcard SSL certificate had quietly expired over the weekend.”

In June 2016 at Wipro, an expired wildcard SSL certificate installed across multiple F5 BIG-IP LTM SSL profiles caused a massive application outage.


The Root Cause: Manual Tracking Failure

The certificate lifecycle had been tracked in a manual Excel spreadsheet. When the primary administrator left the company, the renewal notification email bounced.

  • 40 Virtual Servers (VIPs) were bound to a single ClientSSL profile referencing the expired certificate.
  • Browsers instantly blocked all incoming user traffic with security warnings.

[!IMPORTANT] Never rely on human memory or manual spreadsheets for TLS certificate renewal tracking.


The Solution: Automated Python Expiration Scanner

I wrote an automated Python scanner using OpenSSL to query all production F5 LTM VIPs and internal web endpoints weekly, sending alert notifications 60, 30, and 7 days prior to expiry.

# # Python TLS Certificate Expiration Inspector
import socket
import ssl
import datetime

def check_cert_expiry(hostname, port=443):
    context = ssl.create_default_context()
    with socket.create_connection((hostname, port)) as sock:
        with context.wrap_socket(sock, server_hostname=hostname) as ssock:
            cert = ssock.getpeercert()
            expiry_date = datetime.datetime.strptime(cert['notAfter'], '%b %d %H:%M:%S %Y %Z')
            days_left = (expiry_date - datetime.datetime.utcnow()).days
            print(f"Host: {hostname} | Days Remaining: {days_left}")

check_cert_expiry("app.company.com")

The Verdict

Key Takeaway

Automate Public Key Infrastructure (PKI) Monitoring.

Treat TLS certificates as short-lived assets that must be monitored programmatically. Automating expiration scans prevents embarrassing, high-visibility application downtime.

SKS

Sachin Kumar Sharma

Associate Director (Infrastructure & Cloud Architecture Strategy) | 20+ Yrs Exp

Architecting resilient multi-cloud enterprise landing zones, SDN overlay fabrics, DevSecFinOps automation pipelines, and autonomous Agentic AI platforms.