Every day, businesses rely on TLS certificates to keep their digital operations secure. But when those certificates expire unexpectedly, the consequences can be severe—websites go down, critical services break, and customer trust is lost.
Even as automation has made certificate issuance and renewal easier, it hasn’t eliminated the problem. Organizations still find themselves blindsided by expirations, leading to costly outages.
Following a recent announcement from Let’s Encrypt, the world’s most widely used Certificate Authority, it will be retiring its certificate expiration notification service. To bridge this gap, it has recommended Red Sift Certificates Lite—a free monitoring solution designed to give businesses full visibility into their certificates and prevent costly downtime.
In a recent webinar, Josh Aas, Executive Director of Let’s Encrypt, Rahul Powar, CEO of Red Sift, and Billy McDiarmid, Sr Director of Sales Engineering at Red Sift, explored why Let’s Encrypt and Red Sift are working together, why monitoring certificates remains essential, and how Certificates Lite provides an easy way to track and manage certificate lifecycles.
Watch the webinar recording below or scroll for the written recap.
A quick recap: Why Let’s Encrypt is ending its expiration notification service
Since launching in 2015, Let’s Encrypt has issued over half a billion certificates, making encrypted connections the default for the modern web. As adoption grew, so did the challenge of managing expiration notifications at scale.
To streamline operations and better align with its core principles, Let’s Encrypt made the decision to retire its certificate expiration notification service. The key reasons behind this change include:
- Commitment to privacy: Eliminating email retention aligns with Let’s Encrypt’s practice of minimizing data collection and safeguarding user privacy.
- Cost efficiency: Maintaining expiration email services costs tens of thousands of dollars annually—funds that can be redirected toward more impactful infrastructure improvements.
- Simplification of infrastructure: Reducing system complexity ensures a more robust, scalable platform as new service components are introduced.
While Let’s Encrypt remains committed to providing free, automated certificate issuance, the team recognized that many organizations still need a way to track expirations. Josh Aas and his team turned to Red Sift to help solve this challenge.
A shared mission to build a fundamentally safer internet
Let’s Encrypt and Red Sift are aligned in their vision to make the internet fundamentally safer—not just by improving access to TLS certificates, but by ensuring they are properly monitored and managed.
For encryption to truly be effective, organizations must be able to trust the identities of the systems they interact with. This is where TLS certificates play a critical role, serving as the foundation of both privacy and authentication online.
TLS: The foundation of trust on the internet
TLS (Transport Layer Security) is the backbone of secure online communication, protecting billions of interactions every day. But its role extends beyond just encryption—TLS is also critical for authentication.
During the webinar, Josh highlighted why both encryption and authentication are necessary to establish trust: “TLS is critical for privacy and the integrity of connections on the internet. It really provides two things: encryption and authentication. And you need to have both—if a connection doesn’t have both, it’s not secure.”
Encryption ensures data remains private, but without authentication, users can’t verify who they are communicating with. This creates a major security risk, as attackers can trick users into encrypted connections with malicious actors.
“Encryption doesn’t really matter if you’re having an encrypted conversation with the wrong entity. It could be a phishing entity or anything else. Encryption isn’t going to protect you from that because they are the other end of the conversation.”
This is why TLS certificates are essential—they provide identity verification that allows users, businesses, and applications to trust their connections.
However, simply having a TLS certificate isn’t enough. It must be properly deployed, actively monitored, and renewed on time to prevent service disruptions and security failures. As Josh noted, “You need to make sure that when you have a certificate, it’s reliably renewed and managed. That’s where monitoring can help.”
But monitoring certificates across an organization isn’t always simple. Certificates expire, automation can fail, and sprawl makes it hard to track everything. This brings us to one of the biggest challenges businesses face today: managing TLS at scale.
Why do organizations struggle with certificate management?
Managing TLS certificates isn’t just a technical task—it’s a critical business function. A single expired certificate can disrupt operations, break services, and create security risks. Yet, many organizations struggle to keep up.
During the webinar, Rahul outlined why certificate management is becoming increasingly difficult.
1. Automation is essential—but not foolproof
The industry push toward shorter certificate lifespans means organizations must automate issuance, renewal, and revocation. But automation itself introduces new risks.
Rahul commented: “You’re in the midst of trying to convert some of your base, that might be currently manually deployed, into an automated workflow. And you want assurance that the automated workflow is working—because we all know, working in technology, unfortunately, things sometimes break.”
When automated systems fail, how do you know? How do you fix it before it becomes a business continuity issue?
2. Certificate sprawl is out of control
TLS isn’t just for websites—it’s everywhere.
“There’s very little out there that’s not in some way wrapped up via a TLS socket, whether it’s web services, email infrastructure, or device telemetry. But that leads to quite a lot of certificate sprawl. So how do you even get your hands around the entire inventory?”
Many organizations don’t know where all their certificates are, making it difficult to track renewals and identify risks before they cause failures.
3. Compliance requirements are tightening
Regulators are catching up to best practices, and organizations need to be prepared.
“PCI DSS 4.0 specifically requires PKI inventory and certificate lifecycle management. If organizations are within scope, they need to demonstrate that they have auditable solutions in place.”
Falling behind on compliance isn’t an option—businesses need reliable, documented processes for managing their certificates.
4. The post-quantum era is coming
Post-Quantum Cryptography (PQC) might seem distant, but the transition is happening faster than expected. Rahul commented:
“We’re expecting the first standardizations of PQC certificates in 2026, and we already have post-quantum safe handshakes. […] And there’s some jurisdictions like in Australia where post-quantum certificates are expected to be deployed far more aggressively than in other territories. So depending on where you’re from and what jurisdiction and legislation might apply to you, you actually might need to be slightly further ahead of this than than people would expect.”
Organizations that wait too long to adapt risk falling behind on critical security changes.
Visibility is key to staying ahead
Between automation failures, certificate sprawl, regulatory pressure, and emerging threats, businesses can’t afford blind spots.
As Rahul put it: “How do you get on top of it before it becomes a business continuity issue?”
This is exactly where Red Sift Certificates Lite helps—providing organizations with real-time visibility, proactive alerts, and a clear view of their certificate landscape before issues arise.
Red Sift Certificates Lite: a smarter way to track certificates
With Let’s Encrypt retiring its certificate expiration notification service, Red Sift Certificates Lite provides businesses with a real-time monitoring solution that ensures certificates don’t expire unnoticed.
With Certificates Lite, businesses can:
✅ Track all certificates in one place, whether issued by Let’s Encrypt or another CA.
✅ Receive proactive alerts before expirations happen, ensuring no surprises.
✅ Gain full visibility into certificate authorities, key strengths, and trust chains.
Unlike email notifications that can get lost or ignored, Certificates Lite continuously monitors certificates using Certificate Transparency Logs—providing a real-time view of an organization’s certificates and upcoming expirations.
Billy McDiarmid
Senior Director, Sales Engineering at Red SiftWith shorter certificate lifespans, increased automation, and growing compliance demands, now is the time to ensure your business never gets caught off guard by an expired certificate again.
🔗 Sign up for Red Sift Certificates Lite for free.
