WarDek is a complete compliance suite that combines an OWASP vulnerability scanner with NIS2, AI Act and GDPR compliance modules, specially designed for European SMEs.

Is my company subject to NIS2?

The NIS2 directive applies to essential and important entities in sectors such as energy, healthcare, transport, digital, etc. Use our free simulator to check.

How should I use WarDek reports in an audit?

WarDek reports provide a practical working base for your team, auditor, or compliance preparation. They are not an official certification or legal opinion.

How long does a scan take?

A complete OWASP scan typically takes between 2 and 5 minutes depending on the complexity of your website.

Absolutely. We never store your credentials. Reports are encrypted and you can delete them at any time. We are hosted in France.

Can I try before I buy?

Yes! The Free plan lets you test WarDek with 3 scans per month, no credit card required.

SSL Certificate Expired: What to Do and How to Prevent It

Your browser just displayed "Your connection is not private." Your SSL certificate has expired — or is about to. Visitors see a scary warning, search engines may flag your site, and your credibility takes an immediate hit. This guide tells you exactly what to do right now and how to set up monitoring so this never happens again.

What Happens When an SSL/TLS Certificate Expires

An SSL/TLS certificate contains a validity window — a start date and an expiration date. Once the certificate expires:

Browsers block access with a full-screen security warning
Search engines may delist pages or lower rankings for sites they can no longer verify
APIs and webhooks fail when clients enforce certificate validation (most modern clients do)
User trust evaporates — many users will not click past a certificate warning

The practical impact depends on your user base. Consumer-facing sites see immediate bounce rate spikes. B2B applications may trigger SLA violations when integrations break. Either way, an expired certificate is an outage.

Immediate Response: Renewing an Expired Certificate

Step 1 — Identify Your Certificate Authority

Check who issued your current certificate. Common CAs include Let's Encrypt, DigiCert, Sectigo, GlobalSign, and your hosting provider's bundled CA. The issuer is visible in the certificate details in any browser.

Step 2 — Generate a New Certificate

Let's Encrypt (free, automated):

# Using Certbot
sudo certbot renew --force-renewal
# Or for a specific domain
sudo certbot certonly --standalone -d yourdomain.com

Let's Encrypt certificates are valid for 90 days. Certbot includes an automatic renewal mechanism — set it up as a cron job or systemd timer and you should never need manual renewal.

Commercial CA (DigiCert, Sectigo, etc.): Log into your CA's dashboard, generate a new Certificate Signing Request (CSR) from your server, submit it through the CA's interface, complete domain validation, then download and install the issued certificate.

Step 3 — Install the Certificate

Replace the expired certificate files on your web server. The specific steps depend on your infrastructure:

Nginx:

server {
    listen 443 ssl;
    ssl_certificate /etc/ssl/certs/yourdomain.crt;
    ssl_certificate_key /etc/ssl/private/yourdomain.key;
    ssl_trusted_certificate /etc/ssl/certs/chain.crt;
}

Reload after replacing files: sudo nginx -s reload

Apache:

SSLCertificateFile /etc/ssl/certs/yourdomain.crt
SSLCertificateKeyFile /etc/ssl/private/yourdomain.key
SSLCACertificateFile /etc/ssl/certs/chain.crt

Reload: sudo systemctl reload apache2

Step 4 — Verify the Installation

Test immediately after installation:

Open your site in a browser — the padlock icon should appear
Use SSL Labs for a detailed rating
Check the certificate expiry date in browser certificate details

Also verify that your HTTP → HTTPS redirect still works and that no resources are loaded over plain HTTP (mixed content warnings break the padlock).

TLS Configuration Best Practices

Renewing the certificate is the minimum. While you have your TLS configuration open, check these settings:

Disable deprecated protocols. TLS 1.0 and TLS 1.1 are deprecated (NIST SP 800-52 Rev 2 recommends TLS 1.2 minimum, TLS 1.3 preferred). Most current server software supports TLS 1.3.

Use strong cipher suites. Prioritize ECDHE key exchange (forward secrecy) and AES-GCM authenticated encryption. Disable RC4, 3DES, and export cipher suites.

Enable OCSP Stapling. This speeds up certificate validation for visitors by allowing your server to provide the CA's certificate status directly rather than requiring the browser to query the CA.

Set HTTP Strict Transport Security (HSTS). The Strict-Transport-Security header tells browsers to always use HTTPS for your domain, preventing protocol downgrade attacks. See the secure HTTP headers guide for implementation details.

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Only add preload after thorough testing — it is very difficult to reverse.

Never Let It Expire Again: Monitoring Strategy

A certificate expiry is entirely preventable with proper monitoring.

Automated Certificate Renewal

Let's Encrypt with Certbot or ACME clients (acme.sh, Caddy's built-in ACME) automate renewal before expiry. Set up renewal automation and test it: sudo certbot renew --dry-run.

For certificates from commercial CAs, configure calendar reminders at 60 days, 30 days, and 14 days before expiry. Add multiple contacts — a certificate managed solely by one person creates a single point of failure.

External Monitoring

Your internal alerts can fail. Network issues, server problems, or misconfigured cron jobs can mean your renewal process runs but fails silently. External monitoring from outside your infrastructure catches these gaps.

WarDek monitors certificate expiry as part of its continuous security scanning. You receive alerts with sufficient lead time to renew calmly, not in an emergency.

SSL Certificate Inventory

Organizations often discover expired certificates on secondary subdomains, staging environments, or internal services that were set up years ago and forgotten. Maintain a certificate inventory: domain, CA, expiry date, renewal owner. Review it quarterly.

Certificate Types: Choosing the Right One

Domain Validation (DV) — Validates domain ownership only. Issued in minutes, free with Let's Encrypt. Appropriate for most websites.

Organization Validation (OV) — Validates domain and organization identity. Requires documentation. Appropriate for business websites where demonstrating organization identity matters.

Extended Validation (EV) — Maximum validation, most rigorous vetting. Historically showed a green address bar (now deprecated in most browsers). Still signals a higher level of organizational verification.

Wildcard certificates (*.yourdomain.com) — Cover all subdomains under a single certificate. Convenient but risky: if the private key is compromised, all subdomains are affected.

Multi-domain (SAN) certificates — Cover multiple distinct domains in one certificate. Useful for organizations managing several properties.

SSL/TLS Expiry Checklist

[ ] Certificate renewed and installed
[ ] Expiry date confirmed (at least 60+ days validity)
[ ] Automated renewal configured and tested
[ ] HSTS header enabled
[ ] TLS 1.0/1.1 disabled, TLS 1.2/1.3 only
[ ] OCSP stapling enabled
[ ] External monitoring alert configured (60-day and 14-day warnings)
[ ] Certificate inventory updated

An expired certificate is one of the most visible — and avoidable — security failures. A ten-minute automation setup eliminates the risk entirely. Do it now, before the next expiry.