惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Scott Helme
Scott Helme
N
Netflix TechBlog - Medium
AI
AI
Security Latest
Security Latest
GbyAI
GbyAI
P
Proofpoint News Feed
Y
Y Combinator Blog
A
Arctic Wolf
G
Google Developers Blog
U
Unit 42
爱范儿
爱范儿
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
V
Vulnerabilities – Threatpost
Know Your Adversary
Know Your Adversary
Cisco Talos Blog
Cisco Talos Blog
T
Tor Project blog
C
CXSECURITY Database RSS Feed - CXSecurity.com
T
Threatpost
L
Lohrmann on Cybersecurity
C
CERT Recently Published Vulnerability Notes
C
Check Point Blog
B
Blog RSS Feed
The GitHub Blog
The GitHub Blog
Microsoft Azure Blog
Microsoft Azure Blog
博客园 - 【当耐特】
博客园 - Franky
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
C
Cisco Blogs
云风的 BLOG
云风的 BLOG
NISL@THU
NISL@THU
D
Darknet – Hacking Tools, Hacker News & Cyber Security
Microsoft Security Blog
Microsoft Security Blog
T
The Blog of Author Tim Ferriss
阮一峰的网络日志
阮一峰的网络日志
Latest news
Latest news
L
LINUX DO - 最新话题
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
美团技术团队
WordPress大学
WordPress大学
L
LangChain Blog
Stack Overflow Blog
Stack Overflow Blog
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
酷 壳 – CoolShell
酷 壳 – CoolShell
大猫的无限游戏
大猫的无限游戏
The Hacker News
The Hacker News
Simon Willison's Weblog
Simon Willison's Weblog
V
V2EX
Project Zero
Project Zero
博客园_首页

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
Your Servers Have Passports. Are They Expiring Without You Knowing?
Olawale Afuye · 2026-06-02 · via DEV Community

Picture this: it's 2 AM. Your on-call phone explodes. Your payments API is down. Users are screaming. The infra team is deep in logs trying to figure out what broke — firewall rules, a bad deploy, infrastructure drift?

Turns out your TLS certificate expired six hours ago and nobody noticed.

That's not a hypothetical. It's a recurring nightmare for engineering teams all over the world. And with the industry aggressively shrinking certificate lifespans — down to 47 days by 2029 — it's about to get a lot worse for teams that aren't paying attention.

This post is your primer. We'll cover what digital certificates actually are, why they matter more than most developers realise, what "machine identity sprawl" is, and how to stop treating cert management as an afterthought.


First: What Even Is a Digital Certificate?

Here's the simplest mental model.

Certificates are passports for machines, not people.

When your browser connects to https://api.yourbank.com, it needs to answer a critical question before sending any data: "Is this actually the server I think it is, or could someone be intercepting this connection?" A digital certificate is the server's answer. It says:

"Here is my name, here is my public key, and here is the signature of a trusted authority that vouches for both."

Technically, a certificate bundles:

  • The server's hostname (what it claims to be)
  • The server's public key (used to establish encrypted communication)
  • A digital signature from a Certificate Authority (CA) — a trusted third party that vouches for the binding of that name to that key

Think of the CA as the government that issued the passport. You don't personally know the bearer, but you trust the issuing authority enough to accept the document.

The Three Pillars This Enables

Once a valid certificate is established, it unlocks three critical security guarantees:

Pillar What It Means
Authentication You're talking to the real server, not an impersonator
Confidentiality Your data is encrypted in transit and only the server with the matching private key can read it
Integrity The data hasn't been modified between sender and receiver

Remove any one of these, and your "secure" connection is theatre.


The Man-in-the-Middle Threat (And Why Certs Stop It)

Here's the attack that certificates are specifically designed to prevent.

An attacker positions themselves between your user and your server. They intercept the request, pretend to be your server to the user, and pretend to be the user to your server. All traffic flows through them. They can read everything, modify anything, and neither side is any wiser.

Without cert validation:
User ──── ATTACKER ──── Your Server
            ↑
        intercepts and relays everything

With cert validation:
User ──[checks cert]──✓──── Your Server
     Attacker can't forge the CA's signature

Without a valid certificate — one signed by a CA the browser trusts — the attacker cannot present a credential that passes verification. The browser (or client) catches it. The connection is rejected.

But here's the thing: if your certificate expires, the browser treats it exactly the same as a forged one. Because from the browser's perspective, it is just as untrustworthy. Which brings us to the real problem.


The Problem: Machine Identity Sprawl

Ten years ago, you might have had a handful of certificates to manage. One for your main domain, maybe one for your API subdomain.

That era is gone.

Modern enterprises run:

  • Web servers and subdomains
  • REST and gRPC APIs
  • Microservices talking to each other over mTLS
  • Load balancers and reverse proxies
  • IoT devices and edge nodes
  • Internal tooling: CI/CD pipelines, Kubernetes clusters, internal dashboards
  • Third-party integrations, SaaS connectors, partner APIs

Each of these can have one or more certificates. A mid-sized engineering organisation can easily have hundreds or thousands of active certificates across its infrastructure.

This is machine identity sprawl: the explosion of machine-level credentials distributed across systems, teams, clouds, and environments — most of which were issued, forgotten, and are now quietly ticking toward expiry on nobody's radar.

The dangerous part isn't complexity. It's invisibility. Nobody sends you a calendar invite for cert expiry. There's no build failure. No test suite catches it. You find out when the production API starts returning connection errors at scale, usually at the worst possible time.


SSL vs TLS: A Quick Clarification

You'll hear "SSL certificate" constantly — in documentation, in vendor dashboards, in job descriptions. It's worth being precise here.

SSL (Secure Sockets Layer) is the original protocol. It's been deprecated. SSL 2.0 and 3.0 both have known, exploitable vulnerabilities and should not be used.

TLS (Transport Layer Security) is the current standard. TLS 1.2 and TLS 1.3 are what you want. TLS 1.3 (released 2018) cut unnecessary handshake round-trips, removed weak cipher suites, and is meaningfully faster and more secure.

The certificates themselves haven't fundamentally changed in shape — they still use the same X.509 format. But when someone says "SSL certificate" today, they mean a certificate used for TLS. The name is a legacy holdover that stuck.

If you're configuring a new server and you see options for SSL 2.0, SSL 3.0, or TLS 1.0/1.1 — disable them. All of them.


Why Shorter Lifespans Are Actually a Good Thing (Even If They're Painful)

Here's the uncomfortable trade-off the industry is making.

Certificate lifespans have been shrinking aggressively:

  • 2015: Up to 5 years
  • 2018: 2 years max
  • 2020: 1 year max (13 months)
  • 2029 target: 47 days

This feels like a headache being manufactured by the CA/Browser Forum. But the reasoning is sound.

If an attacker compromises your server's private key, they can impersonate your server until that certificate expires or is manually revoked. A certificate valid for 2 years gives an attacker a 2-year window to exploit a compromised credential — assuming you even detect the compromise.

Short lifespans shrink that window dramatically. A 47-day certificate means even a successful key compromise has a limited blast radius before the certificate naturally rotates out of existence.

It also forces cryptographic hygiene. Every renewal is an opportunity to use stronger key sizes, updated cipher suites, and current security standards. Organisations with 2-year certs can sit on weak configurations for years without touching them.

The catch, of course, is that a 47-day lifespan makes manual renewal not just inconvenient — it makes it mathematically impossible at enterprise scale. You cannot have a human manually renewing hundreds of certificates every six weeks. The industry is forcing automation, and it's the right call.


The Certificate Lifecycle: What You Need to Manage

Treating cert management as "buy, install, forget" is how you end up in the 2 AM outage. A proper lifecycle has four stages:

1. Discovery

You cannot manage what you cannot see.

The first step is finding every certificate across your entire infrastructure — including the ones that were issued years ago by a developer who has since left, deployed on a server that isn't in your main dashboard, and which nobody has touched since.

Automated discovery tools scan your network, check endpoints, and build a full inventory. This is often the most surprising step. Teams consistently find dozens of "unknown" certificates when they first run a discovery scan.

2. Issue & Deploy

Automate the issuance and deployment pipeline entirely. Tools like Let's Encrypt (with Certbot), HashiCorp Vault, or enterprise platforms like Venafi and AppViewX can handle this end to end.

A good setup issues the certificate, deploys it to the right server or load balancer, triggers a reload (without downtime), and logs the event — all without human intervention.

# Example: Certbot automatic renewal via cron
0 0,12 * * * root certbot renew --quiet --post-hook "systemctl reload nginx"

For internal services or mTLS between microservices, a private CA (like Vault's PKI secrets engine) handles issuance internally without going through public CAs.

3. Monitor

Every certificate in your fleet should have active monitoring on:

  • Expiry date — alerts at 30 days, 14 days, 7 days out
  • Validity — is the cert still being served correctly?
  • Chain integrity — is the full trust chain intact?
  • Coverage — are all subdomains and SANs still accurate?

This is your early warning system. If your automation pipeline breaks, monitoring catches it before users do.

4. Rotate & Revoke

Certificates need to be replaced on schedule (rotation) and immediately if a compromise is suspected (revocation).

Revocation is important and under-implemented. If a private key is exposed — through a breach, a misconfigured server, a leaked secrets file in a public repo — the certificate must be revoked immediately through the CA. A revoked certificate tells clients: "Do not trust this, regardless of the expiry date."

The failure mode when certificates are not retired is subtle but serious: old certificates associated with deprecated services, decommissioned servers, or former employees' infrastructure can become silent attack surfaces. If the private key still exists somewhere and the certificate hasn't been revoked, it's a live credential that nobody is watching.


Why "Cryptographic Hygiene" Is Bigger Than Just Certs

Certificates are the most visible part of your cryptographic surface, but they're not the whole picture.

A genuine cryptographic hygiene audit also looks at:

  • Key sizes: RSA 2048-bit is a current minimum. RSA 4096 or ECDSA P-256/P-384 are preferred.
  • Cipher suites: Weak or deprecated ciphers (RC4, DES, 3DES) should be disabled even if your server technically supports them.
  • Library versions: OpenSSL, BoringSSL, and similar libraries have their own vulnerability histories. Are you running patched versions?
  • Protocol versions: TLS 1.0 and 1.1 are deprecated. Are they still enabled on any of your services?
  • Post-quantum readiness: NIST standardised its first quantum-resistant algorithms in 2024. Forward-thinking teams are beginning to inventory what a migration path looks like, even if it's years away.

Certificates are the fire you can see. These are the smoldering ones.


What Does Automation Actually Change?

Here's the honest answer: automation doesn't eliminate security risk. It eliminates the specific, unnecessary, entirely preventable risk that comes from human forgetfulness at scale.

Automated certificate management means:

  • Renewals happen on schedule, not when someone checks a spreadsheet
  • Deployment is consistent, not dependent on which engineer is available that weekend
  • Expiry monitoring doesn't rely on someone reading an email from six months ago
  • Rotation is a routine event, not an emergency

What automation doesn't do is protect you from a compromised CA, a misconfigured deployment script, or a zero-day in your TLS implementation. Those require different controls. But the "two-year-cert-in-a-forgotten-spreadsheet" class of incident? That's fully solvable, right now, with the tooling that exists today.


Quick Reference: The Toolkit

Need Open Source Option Enterprise Option
Public cert issuance Let's Encrypt + Certbot DigiCert, Sectigo
Internal / private CA HashiCorp Vault PKI Venafi, AppViewX
Discovery & inventory ssl-cert-check, Shodan Keyfactor, Sectigo SCM
Monitoring Prometheus + custom exporter Datadog, New Relic
mTLS between services cert-manager (K8s) Istio, Linkerd

The Bottom Line

Certificates are infrastructure. Not a one-time setup task. Not a DevOps checklist item. Infrastructure — like your database, your load balancer, your secrets manager. It requires the same treatment: automation, monitoring, documented runbooks, and ownership.

By 2029, the industry will not give you a choice. 47-day certificates make manual management impossible by design. The teams that start treating certificate lifecycle as a first-class engineering concern today will have the tooling and culture in place before the deadline. The teams that don't will be having a lot of 2 AM conversations.

Your servers have passports. Make sure they're not expiring in a drawer somewhere.


Found this useful? Drop a comment below with how your team currently handles cert management — spreadsheet, automation, or "we'll figure it out when it breaks." No judgment. Mostly judgment.