> Some guy creates a certificate, leaves the company, there is some renewal mechanism which just works, nobody knows anymore where it exactly is and then it starts failing.
Which is why part of the standard operating procedure (SOP) of adding any new service is to add it to your monitoring infrastructure. This includes certificate expiration even if it is supposed to be automated.
Automation breaks sometimes, and you have to know when it does breaks so a 'manual override' can be done.
Right. Certificates are actually one of the easier monitoring problems - you can build an affirmative monitoring setup, you can get them off the shelf, it's very much a solved problem.
Contrast stuff like: Did we pay the utility bills? Oh, you thought Jim did it, Jim thought Sarah did it, Sarah thought you did it, and so they weren't paid, and this morning bright and early an engineer from the utility company disconnected our supply, we are dead in the water. Don't worry, your utility company is probably a local monopoly and so they definitely have excellent customer support /s
Which is why part of the standard operating procedure (SOP) of adding any new service is to add it to your monitoring infrastructure. This includes certificate expiration even if it is supposed to be automated.
Automation breaks sometimes, and you have to know when it does breaks so a 'manual override' can be done.