# Expired Certificate
A TLS certificate issued to a host at your organization has expired. The certificate has not yet been renewed.
# Problem description
Publically available Certificate Transparency logs contain information on all TLS certificates that have been generated into use. According to those logs, a certificate assigned to a host in your organization has expired, and it has not yet been renewed. When a certificate expires, services relying on TLS on that host no longer work correctly, and those services may not be reachable by their intended users.
# Verifying the issue
You can use a public Certificate Transparency logs search engine such as crt.sh to check the status of your certificate. Replace the hostname in the query string with your hostname.
- https://crt.sh/?q=host.example.com
Note that if you are replacing a host-specific certificate with a wildcard certificate (e.g. "*.example.com"), this may be a perfectly valid reason to let the old host certificate expire.
# Suggestions for repair
- Check if the host and service with the TLS certificate is still in active use. If the server is no longer needed, decommission it.
- If the service is in active use, find out who is responsible for renewing TLS certificates for your organization.
- Ask them to renew the TLS certificate and to install the new certificate in place.
# Protecting against future incidents
- Monitor your TLS certificates actively for expiration.
- Renew your actively used certificates automatically, if possible.
- Make sure that you have named service owners who are responsible for maintaining certificates on their systems.
- Decommission legacy servers when they are no longer needed.