- Our current GlobalSign certs are generally configured with a single individual's email address to notify us on expiry.
- Even if that's fixed, we shouldn't be relying on them to notify us. We should have our own tracking.
We have check_sslxNN in icinga which is checking at least the critical unified cert, which (in addition to other things) tracks cert expiry, but we haven't actually extended that kind of checking to every cert we're using (notably, we missed the impending loss of wmfusercontent.org). We have several smaller certs like that, some of which are even hosted in 3rd party services as well. Should we monitor the 3rd parties in these cases as well?
It might make more sense if we had some generic system in place for tracking long-term expiration events in general, so that we could enter every cert we purchase into that system when it's purchased. Such a system could be useful for other purposes as well (warranties, contracts, etc?). Is there an existing thing like this available already?