The Cert Expires Tonight. Just Bump It to a 10-Year Cert?
Scenario
The TLS certificate on your production nginx expires in a few hours. This is not the team's first brush with it: a previous expiry slipped past unnoticed and caused an outage, and the "process" since then has been a calendar reminder that already failed once last quarter. The endpoint serves both browsers and API clients, so an expired cert breaks humans and integrations at the same time.
The Quick Fix on the Table
A teammate has had enough of the renewal treadmill: generate a self-signed certificate valid for 10 years, install it in nginx, and never think about expiry again. One openssl command, a decade of peace.
The quick fix is on the table and the room is waiting for your call. Would you sign off on it? Take a position and justify it — out loud or on paper — before revealing the analysis.
Why the Quick Fix Fails
- Self-signed means untrusted — instantly, for everyone. Browsers throw full-page security warnings and API clients fail TLS verification outright. The "fix" causes the very outage it is trying to prevent, just at 100% of clients instead of at expiry time.
- Modern clients cap certificate lifetimes anyway. Mainstream browsers reject publicly-trusted certs valid longer than roughly 13 months, and maximum lifetimes are shrinking further. A 10-year cert fights the entire direction of the ecosystem.
- Ten years is a decade of key exposure. If that private key ever leaks, it is valid until the 2030s. Short lifetimes exist precisely to bound the damage of a compromised or mis-issued key.
- The workaround spreads. Making it work would mean distributing the self-signed cert to every API consumer's trust store or — worse — teaching clients to disable verification. Both create brittle, insecure coupling that outlives everyone's memory of why.
- The real problem remains unsolved. The failure here is manual, unmonitored renewal. A longer cert doesn't fix that process; it schedules the identical fire drill for a future team with even less context.
The interviewer nods: “Fine, the quick fix is off the table. So what exactly would you do — step by step?” Sketch your plan before revealing the approach.
The Right Approach
- Stop tonight's outage with a real cert. Issue a publicly-trusted certificate via ACME right now —
certbot --nginx -d example.comtakes minutes if HTTP/DNS validation is available — or complete the normal CA renewal. Handle tonight with the boring correct option. - Verify from the client's side.
openssl s_client -connect example.com:443 -servername example.com | openssl x509 -noout -datesconfirms the new expiry and that the full chain is served — a common silent mistake under time pressure. - Make renewal automatic and unattended. ACME clients install a systemd timer or cron entry that renews at roughly two-thirds of the cert's life and reloads nginx; confirm the loop actually works with
certbot renew --dry-run. - Monitor expiry independently of the renewal tool. An external check that alerts at 21, 14 and 7 days remaining (blackbox exporter, an uptime service, or a scheduled script) catches the case where automation itself breaks — the belt to automation's braces.
- Inventory every certificate you own. This cert nearly expired because nobody was looking; find the others — internal endpoints, load balancers, mail, message queues — and put them under the same automation and monitoring.
- Kill the calendar-reminder process explicitly. Write down that renewal is automated and monitored, and remove the human step from the loop; a process that failed twice is not a backstop, it's a liability.
Final pushback: “Your plan costs more time and money than the quick fix. Convince me.” How do you defend your position under pressure?
How to Defend It
- "A self-signed cert doesn't dodge the outage — it is the outage. Every browser warns, every API client with verification enabled fails, starting the moment we install it."
- "Browsers won't accept certs longer than about 13 months, and lifetimes keep shrinking. A 10-year cert is a plan the ecosystem has already vetoed."
- "Our problem was never that certs expire — it's that renewal depended on a human remembering. Automation removes the failure mode; a longer cert just postpones it a decade."
- "The ACME route is genuinely the fast path tonight: certbot takes minutes and gives us a trusted cert plus automated renewal in the same step."
- "Short-lived keys are a security feature: if a key leaks, exposure is measured in weeks. Signing a 10-year key is betting the domain on a decade of perfect secret hygiene."