SSL/TLS Certificate Expiry Risk Calculator

Evaluate the risk score and estimated business impact of an expiring SSL/TLS certificate based on days remaining, site traffic, and system criticality.

Enter 0 if already expired. Max standard validity is 825 days.
Number of unique users or API requests per day served over HTTPS.
Estimated revenue attributable per visitor or transaction. Use 0 for non-revenue systems.
Higher criticality amplifies the risk score.
Auto-renewal reduces operational risk but does not eliminate monitoring needs.
Active monitoring reduces the probability of surprise expiry.

Formulas Used

1. Urgency Score (U)
U = 100 × e−λ × days, where λ = 0.05
Exponential decay model: urgency approaches 100 as days → 0 (expired), and decays toward 0 for distant expiry dates. Half-life ≈ 14 days.

2. Exposure Mitigation Factor (M)
M = 1 − (0.5 × autoRenewal) − (0.5 × monitoring)
M ∈ [0, 1]. Auto-renewal and monitoring each contribute up to 50% risk reduction. M = 0 means fully mitigated; M = 1 means no controls.

3. Composite Risk Score (R)
R = min([(U × criticality × M) / 400] × 100, 100)
Normalised to 0–100. Maximum raw risk = 100 × 4 × 1 = 400 (expired, critical, no controls).

4. Daily Revenue at Risk (DRR)
DRR = visitors × revenue_per_visitor × P_impact, where P_impact = U / 100
P_impact is the probability that the expiry event causes a full service disruption, proxied by the urgency score.

5. Remediation Window Cost (RWC)
RWC = DRR × expected_downtime_days
Expected downtime: 0.5 days (auto-renewal active), 1 day (partial), 3 days (manual renewal).

Assumptions & References

  • Maximum certificate validity is 825 days per CA/Browser Forum Baseline Requirements (reduced to 398 days for publicly trusted certs from Sept 2020).
  • The exponential decay constant λ = 0.05 is calibrated so that urgency exceeds 50% at 14 days remaining, aligning with industry best-practice renewal windows (Let's Encrypt renews at 30 days; Google recommends renewal at 20 days).
  • Criticality multipliers (1–4) are adapted from NIST SP 800-30 impact severity levels (Low / Medium / High / Critical).
  • Mitigation factor weights (50% each for auto-renewal and monitoring) reflect OWASP guidance that automated renewal and alerting are the two primary controls for certificate expiry risk.
  • Expected downtime estimates (0.5 / 1 / 3 days) are based on industry incident post-mortems: automated systems recover in hours; manual processes typically require 1–3 business days including escalation and change management.
  • Revenue at risk assumes 100% of HTTPS traffic is blocked upon expiry (browsers display hard-stop warnings for expired certificates per RFC 5280 and browser security policies).
  • This calculator provides a risk estimate only. Actual impact depends on browser behaviour, CDN caching, HSTS policies, and organisational response time.
  • References: CA/Browser Forum Baseline Requirements v2.0; NIST SP 800-30 Rev 1; RFC 5280 (X.509); Let's Encrypt renewal documentation; OWASP Transport Layer Security Cheat Sheet.

More Calculators

In the network

Network