SSL Certificate Audit Guide: Expiry, SAN, Protocols, and Redirects
SSL Certificate Audit Guide
Keep browsers and users happy by reviewing these items every month.
Basics
- Check expiry and renew with 30 days of buffer
- Verify SAN covers apex, www, and any public subdomains
- Confirm the issuer matches policy
HTTPS behavior
- Redirect http to https for apex and www
- Test deep links for consistent redirects
- Set HSTS with includeSubDomains when stable
Protocol and cipher strength
- Support TLS 1.2 or higher and remove legacy protocols
- Prefer modern ciphers with forward secrecy
- Disable weak suites that downgrade security
OCSP and chain health
- Enable OCSP stapling
- Serve a full and correct chain
- Watch for intermediate rotations
Monitoring
- Alert on expiry, redirect failures, and TLS errors
- Retest after CDN or load balancer changes