alt Hacker NewsTD bank, in Canada, has had their cert expire several times in the past 10 years.
It blows me away that a bank can't afford to do for themselves what Certbot and Lets Encrypt does for me, for free.
Like, pay a guy a whole week to automate this and it will save you the 12hrs losses every time your cert expires.
Replies
Certificate/key renewal was a mess in every enterprise environment I worked in.
My suspicion is that corporations in general don‘t handle tasks well that need to follow an exact timeline and can‘t be postponed by a week or two.
Anyone who thinks this is that trivial has never worked in enterprise IT.
Automated certificate renewal is maybe supported by 10% of services I operate where I work. And we're pretty modern. An organization with more legacy platforms is likely at "nothing supports automated renewal".
We are a decade or two out from 47 day expiry being a sane concept.
Certificate expiration notifications are a checkbox in uptime-kuma, which is itself incredibly easy to install and configure. We're not talking a week, we're talking a matter of minutes to go from zero to receiving notifications 21 days in advance of certificate or domain expiration.
Turns out ”bank-grade security” is not something to strive towards. In the case of TLS certificates, most banks still believe they need EV certs, even though browsers stopped making any visual distinctions for EV certificates around 2018-2019.