π Certificate Renewal Schedule¶
π Warning System¶
βββββββββββββββββββββββββββββββββββββββββββββββββββ
β DΓas antes β AcciΓ³n β
ββββββββββββββΌβββββββββββββββββββββββββββββββββββββ€
β 90 β Email reminder: Iniciar renovaciΓ³n β
β 60 β Calendar alert + email β
β 30 β URGENT: Bloquea release si no done β
β 7 β EMERGENCY: All hands β
βββββββββββββββββββββββββββββββββββββββββββββββββββ
π Certificate Inventory Template¶
| Cert Type | Platform | Expires | Responsible | Status | Notes |
|---|---|---|---|---|---|
| Windows EV | Windows | 2025-12-31 | DevOps Lead | β Active | DigiCert |
| Apple Dev ID | macOS | 2025-06-15 | iOS Lead | β οΈ 45d | Renew soon |
| GPG Signing | Linux | 2026-01-01 | Release Mgr | β Active | Public key: ABC123 |
Status Legend¶
- β Active - Certificate valid, no action needed
- β οΈ Warning - Expires in < 90 days, renewal in progress
- π΄ Urgent - Expires in < 30 days, immediate action required
- π Renewing - Renewal process started
- π¦ Ordered - New certificate ordered, awaiting delivery
- π§ͺ Testing - New certificate imported, testing in progress
- βΈοΈ Deprecated - Old certificate, keep for reference
π Renewal Process¶
Phase 1: Preparation (90 days before expiration)¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Week 1-2: Planning & Ordering β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β‘ Review current certificate details β
β β‘ Check budget approval β
β β‘ Order renewal from vendor β
β β‘ Verify company information is current β
β β‘ Schedule validation calls if needed (EV certs) β
β β‘ Create calendar reminders for team β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Phase 2: Validation (60-75 days before)¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Week 3-4: Vendor Validation β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β‘ Respond to vendor validation emails β
β β‘ Provide required documentation β
β β‘ Complete phone validation (EV certs) β
β β‘ Verify hardware token delivery (if applicable) β
β β‘ Track validation status daily β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Phase 3: Import & Test (45-60 days before)¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Week 5-6: Import & Testing β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β‘ Download new certificate from vendor β
β β‘ Import to test environment β
β β‘ Sign test builds β
β β‘ Verify signature validation β
β β‘ Test on all target platforms β
β β‘ Document any issues β
β β‘ Create rollback plan β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Phase 4: Production Deployment (30-45 days before)¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Week 7-8: Production Rollout β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β‘ Backup old certificate securely β
β β‘ Update CI/CD configuration β
β β‘ Import to production signing servers β
β β‘ Sign staging release for validation β
β β‘ Deploy to production β
β β‘ Verify signatures on distributed builds β
β β‘ Monitor for issues β
β β‘ Update documentation β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Phase 5: Archival (After successful deployment)¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Post-Deployment: Cleanup β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β‘ Archive old certificate securely β
β β‘ Update inventory spreadsheet β
β β‘ Document lessons learned β
β β‘ Set reminders for next renewal β
β β‘ Verify old certificate still validates old builds β
β β‘ Keep old cert for 1 year minimum β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
π¨ Emergency Renewal (< 30 days)¶
Fast-Track Process¶
- Day 1: Order & Escalate
- Order from vendor immediately
- Request expedited processing
- Pay rush fees if available
-
Contact account manager directly
-
Day 2-3: Validation Sprint
- Prioritize validation responses
- Have team on standby for calls
-
Prepare all documents in advance
-
Day 4-5: Import & Test
- Parallel testing with multiple team members
- Automated test suite for signature validation
-
Skip nice-to-have testing, focus on critical paths
-
Day 6-7: Deploy
- Emergency change request
- Deploy outside normal release window if needed
- All-hands monitoring for first 24h
π Tracking Dashboard¶
Key Metrics to Monitor¶
ββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Metric β Target β Current β
βββββββββββββββββββββββββββββββββΌβββββββββΌββββββββββ€
β Avg renewal lead time β 60d β 52d β
β Renewals completed on time β 100% β 95% β
β Emergency renewals β 0 β 1 β
β Expired certificates β 0 β 0 β
β Cost per certificate β Budget β $X β
ββββββββββββββββββββββββββββββββββββββββββββββββββββ
π Automated Monitoring¶
Script for Checking Expiration¶
# Add to scheduled task (daily)
.\certificate_store_setup.ps1 -Action List |
Select-String "β οΈ" |
Send-Mail -To "team@company.com" -Subject "Certificates expiring soon"
Calendar Integration¶
- Import to team calendar
- Set recurring reminders
- Include responsible person in event
- Add pre-meeting alerts (1 week, 1 day, 1 hour)
π Renewal Checklist Template¶
Certificate Renewal Ticket Template¶
# Certificate Renewal: [Cert Type] - [Platform]
## Details
- **Certificate:** [Type and name]
- **Current Expiration:** [Date]
- **Responsible:** [Person]
- **Vendor:** [Vendor name]
- **Cost:** [Amount]
## Checklist
- [ ] Budget approved
- [ ] Certificate ordered (Date: ___)
- [ ] Validation completed (Date: ___)
- [ ] Certificate received (Date: ___)
- [ ] Imported to test environment (Date: ___)
- [ ] Test signing successful (Date: ___)
- [ ] Signatures verified (Date: ___)
- [ ] CI/CD updated (Date: ___)
- [ ] Deployed to production (Date: ___)
- [ ] Old certificate archived (Date: ___)
- [ ] Inventory updated (Date: ___)
- [ ] Next renewal reminder set (Date: ___)
## Notes
[Add any special considerations or issues encountered]
## Verification
- [ ] Test build signed: [Link to build]
- [ ] Signature validates on: Windows / macOS / Linux
- [ ] SmartScreen/Gatekeeper status: [OK/Pending]
π§ Email Templates¶
90-Day Reminder¶
Subject: Certificate Renewal Required - [Cert Name] expires in 90 days
Team,
The [Certificate Type] certificate for [Platform] will expire on [Date].
Action Required:
1. Order renewal from [Vendor]
2. Schedule validation if needed
3. Update tracking spreadsheet
Responsible: [Person]
Budget: [Amount] - Approval needed by [Date]
Calendar invite sent for renewal kickoff meeting.
30-Day Warning¶
Subject: URGENT - Certificate Renewal - [Cert Name] expires in 30 days
Team,
URGENT: The [Certificate Type] certificate expires in 30 days on [Date].
Current Status: [Status from tracking]
If renewal is not complete, we will BLOCK releases starting [Date - 7 days].
Please update the tracking spreadsheet immediately with current status.
Escalation to [Manager] if not completed by [Date - 14 days].
ποΈ Archive Policy¶
What to Keep¶
- Old certificates (1 year after expiration)
- Renewal documentation
- Validation records
- Purchase receipts
- Configuration backups
Where to Store¶
- Secure vault (1Password, Azure Key Vault)
- Encrypted backup drive
- Secure file server
- Document management system
Access Control¶
- Limit access to 2-3 people
- Audit log of access
- Require MFA for access
- Review access quarterly
π Continuous Improvement¶
Post-Renewal Review Questions¶
- What went well?
- What could be improved?
- Were timelines realistic?
- Did we have the right people involved?
- Were tools and processes adequate?
- What documentation needs updating?
Update This Schedule¶
- Review quarterly
- After each renewal (lessons learned)
- When vendors or processes change
- When team members change
- After any incidents or issues