The impact of an expired SSL certificate on production traffic can be drastic. You will receive the warning message and HTTP strict transport security (HSTS) will not be allowed to access the site. The Avi Load Balancer provides some mechanisms to alert administrators of upcoming certificate expiration.

Certificates Page

Navigate to Templates > Security > SSL/TLS Certificates. The status page shows a color-coded status for each certificate. As a certificate nears expiration, its status color changes.



  • 30 days until expiration - Status changes from green to yellow.

  • 7 days until expiration - Status changes from yellow to orange.

  • At expiration - Status changes from orange to red.

Health Score

As its SSL certificate nears expiration, the health score of a virtual service automatically gets lowered, indicating increased risk to the application availability until the certificate issue is resolved. This information can be viewed on the Security page virtual service in the SSL section.

  • 30 days until expiration: the virtual service will incur a security penalty of 20 points, which caps the total health score at a maximum of 80 points.

  • 7 days until expiration: the virtual service will incur a security penalty of 60 points, which caps the total health score at a maximum of 40 points.

  • At expiration: the virtual service will incur a security penalty of 100 points, which sets the total health score to 0.

Alerts

System events for soon-to-expire certificates are generated 30 days, 7 days, and 1 day prior to expiration.



The Avi Load Balancer includes a pre-defined alert called SSL-Cert-Expire that can proactively notify administrators when SSL events are generated. Navigate to Operations > Alerts > Alert Config to see this alert and modify its defined Alert Action.