Listing only one individual as the contact for certificate renewals is a pitfall for many companies. Without taking the proper precautions, this seemingly innocent action can cause a company a lot of unnecessary grief.
For example, say a company has “Joe” order a three-year certificate. Joe lists himself as the contact for the certificate renewals, but then Joe leaves the company a year later. Who receives the certificate renewal notices now that Joe is gone? There are many incidents where an employee, who is the sole contact for certificate renewal notifications, leaves a company, and then there is no one listed to receive the emails alerting them to the expiring certificate. Therefore, the company fails to renew the certificate and it expires.
It is important for all businesses working with SSL Certificate Authorities like DigiCert to set up an email distribution group within the account and include a few trusted contacts at the company; then, if the primary renewal contact leaves, the business can avoid any negative impact.
The ultimate purpose of a distribution list is to ensure that multiple individuals have permissions to receive renewal notifications from their company’s CA. For instance, when you place an order and start an account with DigiCert, we allow you to add a technical contact to the order. This option is found in the order form:Do not use your contact details as the technical contact; instead, uncheck Use my contact details as the technical contact and add a separate user. Note that the technical contact does not have permissions to manage the certificate order. The technical contact does receive all correspondence for the order including all renewal notifications. However, the administrator of the account will be able to create additional users inside the account if they—or other employees—leave.
This way, when the renewal email from the CA goes out, it will go to the account holder as well as the technical contacts listed, i.e., the distribution group.
There are several cons that come from a lack of additional renewal contacts in an account. For example, tracking certificate deployment becomes very difficult when a former employee is the only one who had knowledge of where a company’s certificates are in their lifecycle. When a certificate expires without a company realizing it, there may be a significant amount of downtime—a new account administrator must figure out which certificates have expired, potentially find another provider, ensure they are validated, wait for the certificate to be issued (no matter how fast its issued, every second counts when trying to replace an expired certificate), install new certificates, configure servers, etc.
The verification process to switch the account to someone new or to reset it for someone who is trying gain permissions can be lengthy, wasting time that could have been saved from the beginning by merely adding a few select contacts to receive renewal notices in addition to the former account manager.
Further, an unwanted or unexpected certificate expiration can be costly and puts a company’s sensitive and most important information at risk. More importantly, the company’s reputation suffers. Expired certificates can do irreparable damage to the confidence of those who visit and depend on a site.
Because SSL is critical to online security and the backbone of Internet safety, staying on top of SSL Certificate management must always remain a top priority for server and network administrators.