Maintaining your SSL Certificate
December 26, 2004
From the “do as I say, not as I do” department…
One certain kiss of death for an e-commerce site is to have a broken or expired SSL Certificate.
If your certificate is allowed to expire, or if for some reason it does not match the name of your domain (perhaps you’ve changed domain names), or if it is installed incorrectly, the user’s browser will put up a large dialog warning that the site may be insecure, that they should use caution, etc.
As you can imagine, warnings that a site “may be insecure” go along with asking for sensitive information about like seeing a group of people with ski masks and handguns go along with wanting to make a bank deposit.
While I was setting up the shopping cart for next week’s free teleclass*, I had used a temporary SSL certificate to test with, and I thought that I had correctly installed the permanent one when I was done. Unfortunately, at some point in time I told my web browser to ignore the warning that the certificate was wrong “until the end of the session”, and I never restarted my browser to check it, and I had left it wrong. As a result, looking at the logs, a lot of people went to the shopping cart, saw the “insecure” warning, and never logged in so that they could sign up for the free class. Duh, me.
(* Why do I use a shopping cart for a free teleclass? Because a limited number of people can be on the teleconference bridge at the same time; this way, I set the “stock level” to the number of seats, and the price to free, and it will quit taking signups when the bridge is full. So be sure to sign up early!)
While most site owners probably won’t be messing with a temporary certificate, certificates DO expire (typically annually), and other things can happen — your web host might be having a bad day, for example.
As part of your routine site maintenance (you do routinely check your site to make sure everything is operating correctly, don’t you?), it’s good practice to quit and restart your browser (or to be certain, just reboot your machine) beforehand, and be sure that the secure portions of your site are operating without errors.