SSL/TLS Certificate Management

Processes, tools, and policies that provision, configure, renew, rotate, and monitor HTTPS certificates so your site encrypts traffic reliably without outages or warnings.

What it includes

  • Issuance & renewal: ACME automation (e.g., Let’s Encrypt) or managed CA (cloud/CDN).
  • Key management: Generate CSRs, protect private keys, rotate on schedule, revoke if leaked.
  • Installation & chaining: Correct certificate + intermediate(s) + root trust; SNI for multi-host.
  • Protocol/cipher policy: Enforce TLS 1.2/1.3, disable weak suites, require PFS (ECDHE).
  • Hardening: HSTS, OCSP stapling, HTTP→HTTPS redirects, secure cookies.
  • Monitoring: Expiry, chain changes, CT logs (mis-issuance), handshake latency.

Certificate types & when to use

  • DV (Domain Validation): Fast, automated; standard for most sites.
  • OV/EV: Adds org identity in the cert (rarely shown in UI). Use if compliance demands.
  • Wildcard (*.example.com): Many subdomains on one cert (does not cover apex).
  • SAN/UCC: One cert for multiple hostnames (e.g., www, api, shop).

Operational checklist

  • Automation first: Use ACME with HTTP-01/DNS-01; stage/test to avoid rate limits.
  • Keys: Prefer ECDSA P-256 (smaller/faster). Offer dual RSA-2048 only if legacy clients matter.
  • TLS versions: Enable TLS 1.3 and 1.2; disable 1.0/1.1.
  • HSTS: After enforcing HTTPS site-wide, add
    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload (only when sure).
  • OCSP stapling: Enable and verify; reduces latency and revocation checks.
  • Redirects: Single 301 from http://https:// at the edge/load balancer.
  • DNS CAA: Limit which CAs may issue for your domains.
  • Expiry alerts: Notify at 30/14/7/3 days; fail safe with auto-renew + retry.

CDN / load balancer / origin

  • Edge certs terminate user TLS; origin certs secure CDN↔origin.
  • Keep origins on HTTPS too; set short TTLs during cutovers; roll certs per tier.

WordPress/WooCommerce specifics

  • Force canonical HTTPS: Update siteurl/home, replace http:// assets, and 301 everything to HTTPS.
  • Behind proxies/CDNs: Ensure WordPress detects HTTPS: // wp-config.php if (!empty($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https') { $_SERVER['HTTPS'] = 'on'; }
  • Cookies: Ensure Secure flag is set (WordPress does this when is_ssl() is true).
  • Mixed content: Fix hardcoded http:// URLs; consider upgrade-insecure-requests CSP during transition.
  • Payments/APIs: Many providers require TLS 1.2+; confirm after changes.

Common pitfalls

  • Missing intermediates (chain incomplete).
  • Hostname mismatch/SAN missing apex or www.
  • Renewals failing silently (permissions/ACME challenge).
  • HSTS enabled before redirects are correct (locks in breakage).
  • Not rotating keys after suspected exposure.
  • TLS offloaded at CDN but origin left on HTTP.

Useful KPIs

  • Days to expiry (per cert), auto-renew success rate.
  • % traffic on TLS 1.3, handshake/TTFB deltas pre/post change.
  • Incidents due to cert errors (target: zero).