Incapsula-generated certificate expiration
Once our Incapsula-generated certificates are issued, they are valid for a period of 12 months. When the certificate is about to reach its expiration date, it will automatically go through a renewal process.
This process will not require any action from your end, nor will it cause downtime for your sites.
Once the renewal process is concluded, the new certificate will be published. This generally happens 2-3 days before the certificate's expiration date.
Individual SAN expiration
As of April 22, 2017 new rules by The CA/Browser Forum require from all CA's to re-validate SANs every 27 months. The re-validation consists of a similar process as when the certificate was first issued.
In order to prevent any possible downtime for our customers, Incapsula starts the SAN renewal process 3-5 months before the actual revalidation date.
For most cases, Incapsula will attempt to re-validate the SAN automatically without intervention from our customers. However, sometimes we will require our customers to manually perform the revalidation. Some of these cases are:
1. The domain is currently not pointing to Incapsula - If the A records of the naked domain were not pointing to Incapsula at the beginning of the renewal process, it is likely that manual re-validation of the SAN will be required.
This also applies in cases when re-validation is required for a sub-domain while the naked domain is not protected by Incapsula, as the validation is generally made on the naked domain.
2. The domain was initially flagged for Extended Validation - If your domain was flagged for extended validation, it will be flagged again upon renewal and you will be required to fill the extended validation form.
3. Other - If for any reason, Incapsula and/or GlobalSign deems necessary for a SAN to be re-validated.
What happens if any action is required?
If any action will be required from your end in order to validate the SAN, Incapsula Support will contact the account admin and the two most active users (if applicable)
Typically, you will be asked to perform the revalidation via any of our available methods:
Important Notice - If no action will be taken up to 2 weeks before the SAN's expiration date, you risk the SAN being removed from the certificate, which might result in downtime for your site.
* Please note that this article only refers to Incapsula-generated certificates, and not to custom ones that were uploaded to our service. If your custom certificate is about to expire, please be sure to extend it with your CA, and re-upload it to our service.