WarDek is a complete compliance suite that combines an OWASP vulnerability scanner with NIS2, AI Act and GDPR compliance modules, specially designed for European SMEs.

Is my company subject to NIS2?

The NIS2 directive applies to essential and important entities in sectors such as energy, healthcare, transport, digital, etc. Use our free simulator to check.

How should I use WarDek reports in an audit?

WarDek reports provide a practical working base for your team, auditor, or compliance preparation. They are not an official certification or legal opinion.

How long does a scan take?

A complete OWASP scan typically takes between 2 and 5 minutes depending on the complexity of your website.

Absolutely. We never store your credentials. Reports are encrypted and you can delete them at any time. We are hosted in France.

Can I try before I buy?

Yes! The Free plan lets you test WarDek with 3 scans per month, no credit card required.

How far in advance should certificate expiry alerts trigger?

For SMEs, 30 days is a sensible minimum for primary alerts, with an additional closer alert if unresolved. The key is leaving enough time for human escalation if automation fails.

Is Let’s Encrypt enough for production businesses?

Usually yes. The operational quality of renewal, chain management, and verification matters more than the marketing prestige of the certificate issuer for most web applications.

Do CDNs eliminate certificate expiry risk?

No. They reduce operational burden, but you still need hostname inventory, renewal visibility, and validation that the CDN and origin configurations remain aligned.

What should I check after a renewal?

Check live expiry dates, chain validity, HTTP to HTTPS redirects, browser trust, key authenticated journeys, and any API or callback endpoints that rely on HTTPS.

TLS Certificate Expiry Guide — Monitoring and Renewal Runbook

Why certificate expiry is a board-level risk

TLS certificates are easy to ignore because they often work silently for months. When they fail, however, the result is immediate loss of trust: browser warnings, broken APIs, failed logins, interrupted checkout flows, and support tickets from users who think the site has been compromised.

For SMEs, certificate expiry is usually not a cryptography problem. It is an ownership problem. Nobody knows which domains exist, who manages DNS, which team owns the CDN or load balancer, whether renewal is automated, or how to verify a successful rollout after issuance.

That is why the right mindset is operational rather than purely technical. Certificate health belongs in your recurring website reliability checks, alongside redirects, headers, cookies, exposed assets, and uptime. A valid certificate is not enough if the wrong chain is served, a stale edge cache remains active, or a forgotten subdomain still presents an old cert.

Monitoring baseline every team should have

Start with a complete inventory of public hostnames: root domain, www, product subdomains, customer portals, APIs, status pages, and any legacy endpoints still reachable from old documentation or user bookmarks. Certificates drift because teams only monitor the main domain while edge surfaces are forgotten.

Your baseline should include expiry horizon checks, issuer visibility, SAN coverage, redirect validation, and chain correctness. If you use managed infrastructure, verify which layer actually terminates TLS: CDN, reverse proxy, ingress, application server, or a mix. Ownership is impossible if the architecture is unclear.

Alert before expiry with enough margin for human intervention, not only when seven days remain.
Track every production hostname, not only the marketing domain.
Verify redirects from HTTP to HTTPS after each renewal or infrastructure change.
Confirm the full certificate chain is served correctly across environments and regions.
Document who owns renewal, DNS changes, CDN rollout, and post-renewal validation.

A practical renewal runbook

A good renewal runbook is short, boring, and easy to execute under pressure. It identifies the certificate source, the automation mechanism, the fallback manual path, the validation endpoints, and the rollback or escalation steps if issuance fails.

If you use automatic renewal, test the full path before you need it. Teams often assume automation works because it worked once months ago, only to discover that DNS permissions changed, ACME challenges are blocked by a firewall, or a load balancer still serves the previous bundle.

After renewal, validate from outside your network. Check the live certificate dates, issuer, and chain from the public internet, not only from an internal dashboard. If you use a CDN, verify edge propagation as well. Many incidents are caused by partially renewed infrastructure where one region or one proxy stayed stale.

What to verify after a renewal

Post-renewal validation should confirm user experience, not just technical issuance. Browse the main site, authenticated surfaces, and API endpoints. Confirm there are no trust warnings, mixed content regressions, or broken callbacks to third-party services that pin certificate expectations too aggressively.

This is also the right moment to inspect adjacent controls. A certificate renewal window is often when teams notice missing HSTS, weak ciphers, inconsistent redirects, or stale domain inventory. If you already run regular WarDek scans, the renewal event becomes one checkpoint inside a wider reliability process instead of an isolated panic.

The strongest pattern is to link certificate monitoring to scheduled security scans and ownership reviews. When the domain inventory changes, the TLS inventory must change too. When a subdomain is deprecated, its certificate and monitoring should be decommissioned deliberately rather than left behind.

Failure patterns to eliminate

The classic failure is a forgotten subdomain that nobody owns until users hit it. The second is over-reliance on one engineer or one vendor portal. The third is assuming that certificate automation equals full HTTPS hygiene, which is false if redirects, headers, or edge configurations are inconsistent.

Avoid storing certificate operations as tribal knowledge. Keep a shared runbook, ownership map, and validation checklist. If a production domain exists, someone should know why it exists, how it renews, and how the team confirms success.