DNS-005 recommended Domain Management
SSL certificate lifecycle managed
SSL/TLS certificates for all domains are auto-renewed (Cloudflare, Let's Encrypt, cert-manager) or have expiry monitoring with 30-day alerts. Manual certificates are inventoried.
Question to ask
"Any certs expiring in the next 30 days that nobody's watching?"
What to check
- ☐ Check certificate expiry for all domains in inventory
- ☐ Verify auto-renewal is configured (Cloudflare, Let's Encrypt, cert-manager)
- ☐ Identify any manually managed certificates
- ☐ Verify monitoring/alerting for expiry
Verification guide
Severity: Recommended
Expired SSL certificates cause browser warnings and service outages. Auto-renewal should be the default; manual certs need monitoring.
Check automatically:
- Check certificate expiry for each domain:
# Check cert expiry (works for any HTTPS domain)
echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -dates
- Bulk check across inventory:
# For each domain in inventory
for domain in example.com app.example.com api.example.com; do
expiry=$(echo | openssl s_client -servername $domain -connect $domain:443 2>/dev/null | openssl x509 -noout -enddate 2>/dev/null)
echo "$domain: $expiry"
done
Ask user:
- "How are SSL certificates managed?" (Cloudflare auto, Let's Encrypt, cert-manager, manual)
- "Are there any manually managed certificates?"
- "Do you have alerts for certificate expiry?"
Pass criteria:
- Auto-renewal configured for all domains (Cloudflare, Let's Encrypt, cert-manager)
- No certificates expiring within 30 days without renewal plan
- Manual certificates inventoried with renewal owner
Fail criteria:
- Certificates expiring within 30 days with no auto-renewal
- Manual certificates with no monitoring or owner
- No one knows how certs are renewed
Evidence to capture:
- Certificate expiry dates per domain
- Renewal method (auto vs manual)
- Any certificates expiring soon