Security
TLS Certificate Rotation Without Uptime Surprises
Build repeatable cert renewals with overlap, monitoring, and rollback.
By Priya DesaiPublished December 23, 20255 min read
Renew with overlap
Issue new certificates at least 14 days before expiry and deploy behind a canary load balancer.
Keep the old certificate live until synthetic and browser checks validate the new chain.
Overlap windows prevent single flip mistakes from becoming customer-visible downtime.
Monitor the whole chain
Use Watch.Dog to check OCSP, intermediate certs, and SNI responses from multiple regions.
Alert when remaining validity dips below your policy threshold so renewals are never a surprise.
Document rollback paths
Store previous certs securely and keep load balancer switch scripts in runbooks.
Practice rollback in staging with the same DNS and edge settings you use in production.