A colleague messaged me today:
“Our CA certificate on the VPN servers quietly expired.”
Quietly - because there was no monitoring.
Valid for 10 years. Nobody checked.
Of course nobody noticed.
Here’s where it hurts: 10-year certificates exist precisely because you “don’t want to think about this often”. Makes sense. But the result - you forget about it completely.
And when it expires - VPN goes down. Quietly. No warnings. Just stops working.
Good if it happens during business hours. Good if someone notices quickly.
Do this right now:
Check your CA certificate expiration:
openssl x509 -in /path/to/ca.crt -noout -dates
If less than a year left - add an alert to your monitoring.
If there’s no monitoring - that’s the actual problem.
The non-obvious part: alert on “90/60/30 days until expiration”, not on “certificate expired”. By the time it expires, you’re already fighting a fire - too late to plan.
Prometheus, Zabbix, Datadog, even a simple cron script - doesn’t matter what. What matters is that it exists.
The rule I apply in every audit:
Everything that “runs itself” and was set up more than a year ago is a candidate for review. Certificates. Backups. Log rotation. Cron jobs.
“Works” ≠ “works correctly” ≠ “will work tomorrow”.
I audit IT infrastructure.
Find what expired - before the incident.