Zum Inhalt springen
Proactive security updates
Wartung

SSL Certificate Management: Renewal and Best Practices

Manage SSL certificates professionally: automated renewal with Let's Encrypt, certificate monitoring, HSTS, TLS configuration and mixed content.

15 min read SSLTLSHSTSZertifikateVerschlüsselung

An expired SSL certificate means an immediate total outage for an online shop -- modern browsers block the connection with a warning page virtually no visitor bypasses. Yet certificate expiration outages are among the most common preventable causes of downtime. 85 percent (project experience) of surveyed organizations experienced at least one outage from an expired certificate in the past two years (Ponemon Institute, 2025). With automatic renewal, proactive monitoring and correct TLS configuration, these outages can be completely prevented.

SSL Certificates: Management and Best PracticesCertificate Lifecycle: Issuance - Monitoring - RenewalIssue CertificateLet s Encrypt: AutomatedWildcard: *.domain.comSAN: Multi-DomainTLS ConfigurationTLS 1.2 + 1.3 (minimum)Strong cipher suitesOCSP stapling activeMonitoring + RenewalExpiry warning: 30 daysAuto-renew with CertbotChain validationHSTS ConfigurationStrict-Transport-Security: max-age=31536000includeSubDomainspreloadMixed Content CheckHTTPSImagesScriptsFontsAll resources loaded via HTTPSA+ SSL RatingSSL Labs: Best possible gradeCAA RecordsDNS: Only authorized CAsCT LogsCertificate transparency checkResult: A+ SSL Rating | 0 Mixed Content | Automatic Renewal | 30-Day Warning

Let's Encrypt: Free Automated Certificates

Let's Encrypt revolutionized the SSL landscape: free, automated and trusted certificates accepted by all common browsers and operating systems. Over 350 million (project experience) active certificates (Let's Encrypt, 2026) make it the world's largest certificate authority. For most online shops, Let's Encrypt certificates are the right choice -- they offer the same encryption strength as paid certificates.

Automation via Certbot or alternative ACME clients ensures certificates are automatically renewed before expiration. A Let's Encrypt certificate is valid for 90 days -- deliberately shorter than commercial certificates to enforce more frequent rotation and thus higher security. Certbot renews by default 30 days before expiry -- enough buffer for multiple renewal attempts should the first fail.

For shops with multiple subdomains, wildcard certificates (*.example.com) cover all subdomains with a single certificate. Validation occurs via DNS TXT records instead of HTTP -- requiring a one-time API integration with the DNS provider. For multi-domain setups, SAN certificates (Subject Alternative Name) bundle multiple different domain names in one certificate. Both variants can be automated with Let's Encrypt management.

Automatic Renewal

Certbot renews certificates 30 days before expiry. Cron jobs check twice daily and restart the web server when needed.

TLS 1.3 Configuration

Current TLS version with strong cipher suites. TLS 1.0 and 1.1 disabled as they are considered insecure.

HSTS and Preloading

HTTP Strict Transport Security enforces HTTPS connections. HSTS preloading protects from the very first visit.

Mixed Content Check

Systematic scan of all pages for HTTP resources. Images, scripts and fonts must load entirely over HTTPS.

Certificate Monitoring

Daily validity check, certificate chain and TLS configuration verification with 30-day early warning.

CAA Records

DNS-based authorization restricts which certificate authorities may issue certificates for your domain.

Certificate Types: DV, OV, EV and Wildcard Compared

Choosing the right certificate type depends on the online shop's requirements. Domain-Validated certificates (DV) only confirm domain ownership and are issued in seconds -- they are sufficient for most shops and provide the same encryption strength as more expensive options. Organization-Validated certificates (OV) additionally verify company identity, which represents a higher trust signal but makes no visible difference in modern browsers.

Extended Validation certificates (EV) undergo the most comprehensive verification but have shown no visual difference since the removal of the green address bar in Chrome and Firefox (2019). For multi-domain setups, SAN certificates (Subject Alternative Name) are the most economical solution, bundling up to 100 different domain names in a single certificate. In a typical e-commerce setup with main domain, API subdomain and staging environment, a SAN certificate significantly reduces administrative overhead.

TLS Configuration: More Than Just the Certificate

A valid certificate is only half of SSL security. The web server's TLS configuration determines which protocol versions and encryption algorithms are used. Outdated protocols like TLS 1.0 and 1.1 contain known vulnerabilities and are no longer supported by current browsers. The recommended configuration for 2026: TLS 1.2 as minimum, TLS 1.3 as standard.

TLS 1.3 offers significant advantages: shorter handshake (1 round-trip instead of 2), stronger encryption through removal of insecure algorithms and mandatory forward secrecy. The cipher suite configuration should only allow AEAD ciphers (Authenticated Encryption with Associated Data) like AES-256-GCM and ChaCha20-Poly1305. Weak ciphers like RC4, 3DES and CBC-mode ciphers should be completely disabled.

OCSP stapling improves TLS connection performance: instead of the browser separately querying the certificate's revocation status from the CA, the server delivers the OCSP response together with the certificate. This saves an additional network round-trip and accelerates connection establishment by 50 to 100 milliseconds. Correct TLS configuration is an important part of professional server maintenance.

HSTS: Enforcing HTTPS Connections

The HTTP Strict Transport Security (HSTS) header instructs the browser to exclusively establish HTTPS connections to the website -- even when the user types http:// in the address bar. Without HSTS, the initial connection over HTTP is vulnerable to man-in-the-middle attacks that can redirect the visitor to a forged HTTP version of the website (SSL stripping).

The recommended HSTS configuration is: max-age=31536000 (1 year), includeSubDomains (also protects all subdomains) and optionally preload (website is included in browser preload lists). Preloading offers the strongest protection since HSTS is effective from the very first visit -- without the browser needing to have previously received an HSTS header. Inclusion in the preload list requires meeting all criteria on hstspreload.org.

Caution is advised for initial HSTS activation: an incorrectly configured HSTS header can make the website unreachable during SSL problems -- the browser refuses any HTTP connection. We therefore recommend a gradual rollout: start with a short max-age (e.g., 300 seconds), then incrementally increase to the target value after verification.

SSL Labs Test: Achieving and Maintaining A+ Rating

The SSL Labs Server Test (Qualys) is the industry standard for evaluating TLS configuration. It checks the certificate chain, supported protocols and cipher suites, HSTS configuration and known vulnerabilities like BEAST, POODLE and Heartbleed. The result is a grade from A+ to F. For an online shop, the target should be A+ -- achievable through TLS 1.2/1.3 with strong ciphers, HSTS with preloading, OCSP stapling and a cleanly configured certificate chain.

We recommend running the SSL Labs test monthly and documenting results. Server updates, configuration changes or expiring intermediate certificates can silently degrade the rating. Integration into the monitoring system automates this check and warns of deviations from the target rating.

Security Headers: CSP, Permissions Policy and More

Beyond TLS configuration, HTTP security headers play a decisive role in overall security. The Content Security Policy (CSP) header defines which resources may be loaded from which sources -- an effective protection against cross-site scripting (XSS). The Permissions-Policy header controls access to browser APIs such as camera, microphone and geolocation. Together with X-Content-Type-Options: nosniff, X-Frame-Options: DENY and the Referrer-Policy header, these settings form a multi-layered security architecture.

According to an HTTP Archive analysis, only 22 percent (project experience) of e-commerce websites deploy a complete set of security headers (HTTP Archive, 2025). A missing CSP allows attackers to inject malicious JavaScript through compromised third-party scripts -- even when the TLS connection is perfectly encrypted. Professional maintenance configures all relevant security headers and regularly tests them for correct functionality.

Detecting and Fixing Mixed Content

Mixed content occurs when an HTTPS page loads resources over HTTP -- images, stylesheets, JavaScript or fonts. Modern browsers completely block active mixed content (JavaScript, iframes) and warn about passive mixed content (images). In both cases, user experience and security suffer: an HTTP-loaded script can be manipulated by an attacker, even when the main page is delivered over HTTPS.

The most common mixed content sources in online shops are: product images stored with absolute HTTP paths in the database, embedded content from third parties (videos, maps, widgets), hardcoded URLs in theme files and external tracking pixels still included via HTTP. A systematic scan of all pages identifies all mixed content sources.

Remediation occurs at multiple levels: database update of all HTTP URLs to HTTPS, theme adjustments for hardcoded paths, CSP header with upgrade-insecure-requests as fallback (browser automatically converts HTTP requests to HTTPS) and verification of all third-party integrations. Professional maintenance ensures no new mixed content arises even after updates and content changes.

Beyond obvious mixed content, there are subtle variants harder to detect: font files loaded via HTTP, tracking pixels with HTTP URLs in email templates, favicon references without protocol specification and hardcoded HTTP URLs in CMS database entries. A systematic database search for the string "http://" in the content area reveals these hidden references. After correction, a consistent Content Security Policy with the "upgrade-insecure-requests" directive prevents new HTTP references from going unnoticed -- the browser automatically converts all HTTP requests to HTTPS.

Certificate Monitoring: Preventing Expiration

Even with automatic renewal, certificate renewal can fail -- DNS changes, server migration, firewall rules or certificate authority rate limits can block the process. Certificate monitoring is the safety layer that catches these failures before the certificate expires and the shop goes down.

Professional certificate monitoring checks daily: remaining validity (warning at less than 30 days), the certificate chain (missing intermediate certificates cause errors on certain devices), TLS configuration (no insecure protocols or ciphers) and OCSP status (detecting revoked certificates). Integration into the monitoring system ensures warnings are addressed promptly.

For online shops with multiple domains and subdomains, we recommend a centralized certificate inventory: an overview of all active certificates with domain, issuance date, expiry date and renewal method. This inventory helps maintain oversight and ensures no domain is forgotten. Expired certificates on subdomains -- such as the staging system or API -- can cause surprising problems that cost significant time during troubleshooting.

Professional SSL certificate management goes far beyond the certificate itself. It encompasses TLS configuration, HSTS, mixed content checking and continuous monitoring. For an online shop whose entire business depends on HTTPS accessibility, this comprehensive SSL management is not a technical detail but business-critical infrastructure. Investment in professional certificate management not only prevents outages but also optimizes performance and security of the TLS connection -- with measurable benefits for load time and search engine ranking.

OCSP Stapling: Accelerating Certificate Validation

During every TLS handshake, the browser checks whether the certificate has been revoked. Without OCSP stapling, the browser sends a separate request to the certificate authority's OCSP responder -- costing 30 to 100 milliseconds (project experience) per connection setup and creating a privacy concern because the CA learns which websites the user visits. With OCSP stapling, the server attaches the current OCSP response to the TLS handshake. The browser receives the validity confirmation directly from the server without an additional round trip.

Configuring OCSP stapling is straightforward in modern web servers and should be standard in every SSL management setup. Two directives are activated in the server configuration: the OCSP stapling function itself and OCSP verification of the stapled response. Additionally, the server must know the complete certificate chain to correctly sign the OCSP request. A regular test via SSL Labs confirms that OCSP stapling is active -- the report shows the status under "OCSP Stapling: Yes".

CAA Records and Certificate Transparency

CAA records (Certification Authority Authorization) are DNS entries that specify which certificate authorities may issue certificates for a domain. Without CAA records, any of the over 200 publicly trusted certificate authorities worldwide can issue a valid certificate for your domain -- an attack surface that can be significantly reduced with a simple DNS entry. For shops using Let's Encrypt, the entry reads: 0 issue "letsencrypt.org".

Certificate Transparency (CT) is a public logging system that documents the issuance of every SSL certificate. By monitoring CT logs, shop operators can detect whether unauthorized certificates have been issued for their domain -- a possible sign of a man-in-the-middle attack. Professional monitoring solutions integrate CT log monitoring and immediately notify of suspicious certificate issuances.

  • Set up Let's Encrypt or commercial certificate with automatic renewal
  • Configure TLS 1.2 as minimum, TLS 1.3 as standard
  • Activate HSTS header with max-age=31536000 and includeSubDomains
  • Check and fix all pages for mixed content
  • Set CAA records in DNS to restrict authorized certificate authorities
  • Configure security headers (CSP, Permissions-Policy, X-Frame-Options)
  • Perform monthly SSL Labs test and ensure A+ rating
  • Set up certificate monitoring with 30-day early warning

Sources and Studies

This article is based on data from: Ponemon Institute Certificate Management Report (2025), Let's Encrypt Statistics (2026), Mozilla SSL/TLS Configuration Guide. Figures cited may vary depending on infrastructure and hosting environment.