Certificate Management

TLS certificates encrypt traffic between clients and servers and prove server identity. Managing certificates means knowing when they expire (and before that happens), automating renewal, and distributing internal CA certificates to clients. The biggest operational risk with certificates is expiry: a certificate that expires silently takes down HTTPS services. Modern certificate management focuses on automating renewal so expiry never becomes an incident.

TLS certificate concepts

Certificate chain:

  Root CA (trusted by browsers/OS — cannot be issued for arbitrary domains)
      |
      v
  Intermediate CA (signs end-entity certificates)
      |
      v
  End-entity certificate (your-domain.com)
      Contains: public key, validity period, SANs (Subject Alternative Names)
      Signed by: Intermediate CA private key

  Let's Encrypt: free, automated, 90-day validity
  Internal CA (OpenSSL): for internal services (*.internal domains)

Let's Encrypt with Certbot

sudo apt update
sudo apt install -y certbot python3-certbot-nginx    # or python3-certbot-apache

# Obtain certificate (nginx plugin auto-configures nginx):
sudo certbot --nginx -d example.com -d www.example.com

# Standalone mode (no web server needed):
sudo certbot certonly --standalone -d example.com

# Wildcard certificate (requires DNS challenge):
sudo certbot certonly --manual --preferred-challenges dns -d "*.example.com"

certbot output

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/example.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/example.com/privkey.pem
This certificate expires on 2025-09-07.
These files will be updated when the certificate renews.

# Test renewal (dry run — no changes made):
sudo certbot renew --dry-run

# Certbot auto-renews via systemd timer:
systemctl status certbot.timer

# Manually renew:
sudo certbot renew

# List all certificates:
sudo certbot certificates

Internal CA with OpenSSL

# Create a private CA for internal services:
mkdir -p /etc/ssl/myca/{certs,private,newcerts}
chmod 700 /etc/ssl/myca/private
touch /etc/ssl/myca/index.txt
echo 1000 > /etc/ssl/myca/serial

# Generate CA private key and self-signed certificate:
openssl genrsa -aes256 -out /etc/ssl/myca/private/ca.key 4096
openssl req -new -x509 -days 3650   -key /etc/ssl/myca/private/ca.key   -out /etc/ssl/myca/certs/ca.crt   -subj "/C=SA/ST=Riyadh/O=Example Corp/CN=Internal CA"

# Generate a certificate for an internal service:
openssl genrsa -out /etc/ssl/private/internal-service.key 2048
openssl req -new -key /etc/ssl/private/internal-service.key   -out /tmp/internal-service.csr   -subj "/CN=service.internal"

# Sign with your CA:
openssl x509 -req -days 365   -in /tmp/internal-service.csr   -CA /etc/ssl/myca/certs/ca.crt   -CAkey /etc/ssl/myca/private/ca.key   -CAcreateserial   -out /etc/ssl/certs/internal-service.crt

Certificate expiry monitoring

# Check certificate expiry date:
openssl x509 -in /etc/letsencrypt/live/example.com/cert.pem -noout -dates

openssl x509 output

notBefore=Jun  9 00:00:00 2025 GMT
notAfter=Sep  7 23:59:59 2025 GMT

# Check a remote server's certificate (without accessing the server):
openssl s_client -connect example.com:443 -servername example.com /dev/null |   openssl x509 -noout -dates

# Script to check multiple services and alert if expiry < 30 days:
for domain in example.com api.example.com; do
    expiry=$(openssl s_client -connect ${domain}:443 -servername ${domain} /dev/null |              openssl x509 -noout -enddate | cut -d= -f2)
    echo "${domain}: expires ${expiry}"
done

# Distribute internal CA certificate to Ubuntu clients:
sudo cp /etc/ssl/myca/certs/ca.crt /usr/local/share/ca-certificates/myca.crt
sudo update-ca-certificates

Conclusion

Let's Encrypt certificates expire in 90 days — this short validity period is intentional (it limits the damage from a compromised key) and is not a problem because certbot's automatic renewal runs before the 30-day expiry threshold. The most common certificate-related outage is a failed renewal that goes unnoticed: always monitor the certbot systemd timer status and configure email alerts via the --email flag during certbot register. Add certificate expiry checks to your monitoring system as a second safety net.

FAQ

Is Certificate Management important for Ubuntu administrators?+

Yes. It supports practical Ubuntu administration because it connects directly to server reliability, security, troubleshooting, or daily operations.

Should I practice this on a live server?+

Use a lab VM first. After you understand the command output and rollback path, apply the workflow carefully on real systems.

What should I do after reading this article?+

Run the practice commands, write down what each one shows, and continue to the next article in the Ubuntu roadmap.

Need help with Ubuntu administration?

Work directly with Muhammad Irfan Aslam for Ubuntu Server, Linux, cloud, Docker, DevOps, CI/CD, or infrastructure troubleshooting support.

Hire Me for Support