Certificate outages are not theoretical. They happen, often at large companies, and usually for very ordinary reasons. Here are four real incidents - what broke, why, and the small monitoring step that would have prevented each one.
1. Microsoft Teams - 2020
What happened: Microsoft Teams was unreachable for hours one morning. The reason? A single expired authentication certificate.
Why it slipped through: the certificate was deep in the back-end auth path. Not the kind of thing the public-facing TLS team owned. Nobody was watching it.
What would have caught it: a monitoring tool that watches all certificates in the chain - not only the public-facing ones - and alerts the right team weeks before expiry.
2. LinkedIn - 2017
What happened: LinkedIn’s country-code domains (e.g. linkedin.com.de, linkedin.co.uk) all stopped working at once. Browser warnings everywhere.
Why it slipped through: the certificate expired. The team renewed the primary domain certificate but forgot all the country variants.
What would have caught it: a complete domain inventory. Every certificate, on every variant, monitored independently. Not “our main cert” - every cert.
3. Equifax - 2017
What happened: a certificate on a security tool expired silently. With monitoring blind, attackers used a separate vulnerability for ten months without detection. The breach that followed exposed data on 147 million people.
Why it slipped through: the security tool depended on certificate-encrypted traffic to inspect packets. Once the cert expired, inspection stopped - but no one was alerted that inspection had stopped.
What would have caught it: alerts on every certificate, including internal ones. A certificate quietly failing is a security event, not just an availability event.
4. Let’s Encrypt - 2026
What happened: Let’s Encrypt halted all certificate issuance globally for several hours in May 2026 after detecting an issue with one of their cross-signed roots. Sites with healthy automation that happened to need a new cert during the window couldn’t get one.
Why it slipped through: the cron job worked. The CA didn’t. Teams that depended on a single CA had no fallback - the automation was running perfectly, but the upstream wasn’t.
What would have caught it: a backup CA configured for emergency issuance, plus monitoring that surfaces “we tried to renew and the CA said no” as a distinct event - not lumped in with generic renewal failures.
The common pattern
Different companies, different scales, same root causes:
- Alerts going to one person, one channel.
- Monitoring covering some certificates but not all.
- No alerts on internal or back-end certificates.
- No final check on what the user actually sees.
None of these companies were short on engineering talent. They simply did not have the right monitoring habits in place. The fix is not technically hard. The fix is making monitoring boring and automatic - so a Sunday-morning expiry is impossible.
Where to start
Start with your main domain right now.
Scan your main domain in seconds
Type your domain below and our free scanner checks the certificate the same way a browser does, including when it expires and who issued it. Results open in a new tab.
Then make a list of every other certificate your team is responsible for and ask: who would know if this one expired tonight? If the honest answer is "nobody," add it to monitoring.
Catch the next one before your customers do
Look again at the stories above. In every one, the certificate was the small part. The expensive part was what happened next: a global product unreachable, sign-ins broken across continents, a security tool blind for ten months. When a certificate fails, your site does not slow down, it stops. Customers hit a warning, assume you are down or unsafe, and leave. Revenue stops while the clock runs, and the trust you spent years building takes the hit in minutes.
None of these outages needed to happen. A certificate problem announces itself long in advance, and continuous monitoring turns a Sunday-morning disaster into a Tuesday-afternoon ticket. If you are dealing with a broken or expired certificate right now, Beacon gets you a working one for free in minutes. Then let TLS Radar watch every certificate you own, around the clock, so the next story is not yours.
Need a working certificate right now?
Beacon issues free 90-day Let's Encrypt certificates with a guided DNS-validation flow. No account, no command-line tools, no ACME client to install - just a domain you control. Most people get a working certificate in under 10 minutes.
Get a free certificate from BeaconMake a Sunday-morning expiry impossible
TLS Radar monitors every certificate across your domains and back-end services, and alerts your whole team weeks before anything expires or breaks. Set it up once and stop losing sleep over renewals.
Related reading
Get the next post in your inbox
TLS monitoring tips and product updates. No spam, unsubscribe anytime.
Keep reading
DigiCert CertCentral Alternatives: An Honest Comparison
The True Cost of a TLS Outage (And Why Calendars Won't Save You)
Valid SSL Certificate, but Chrome Says 'Not Secure'? Here's Why
Related guides
-
“This Website Cannot Be Trusted”: What It Means and How to Fix It
What the “this website cannot be trusted” error really means, and how to fix it fast.
-
Browser Warning About Site Security - What It Means
A friendly tour of browser security warnings and what causes each one.
-
HTTPS Not Working? A Plain-English Troubleshooting Guide
Why HTTPS suddenly stops working and how to diagnose it in under 10 minutes.