Executive summary — A single expired certificate has taken down consumer platforms, telecom networks, and collaboration tools used by tens of millions of people. The root cause is almost never sophistication; it is certificate sprawl and a lost inventory. This article walks through documented outages, the real cost of one missed renewal, and how discovery restores control. Certificate sprawl is what happens when the number of TLS and machine certificates in an enterprise grows faster than the ability to track them. Certificates now sit on load balancers, containers, internal APIs, IoT devices, service meshes, and third-party SaaS integrations. Each has an expiry date. When even one lapses on a critical path, the service it protects stops trusting its peers and traffic fails. The failure is total and instant, which is what makes it so damaging. The Outages Nobody Forgets The public record is unambiguous. In December 2018, Ericsson confirmed that an expired certificate in SGSN-MME software caused a major mobile outage; the O2 network in the United Kingdom went down for close to 24 hours, affecting roughly 32 million customers, with millions more impacted across other operators. Collaboration platforms have not been spared: a widely used enterprise messaging service suffered a multi-hour global outage when an internal certificate expired without renewal, locking out around 20 million daily users. Consumer platforms tell the same story. A major professional network let certificates expire more than once in two years, blocking sign-ins for millions. A large audio-streaming provider lost part of its podcast platform for hours after an internal certificate on a component outside standard monitoring quietly expired. The common thread across every case is not attacker skill; it is that the certificate was not on anyone list. What One Expired Certificate Actually Costs The direct cost of a certificate is negligible. The cost of its expiry is not. A single outage on a revenue-generating service combines lost transactions, SLA penalties, emergency engineering hours, and reputational damage that outlasts the incident by months. For regulated industries there is a further layer: an availability failure can become a reportable event. When the trigger is later revealed to be a lapsed certificate, the finding is doubly hard to defend, because it signals an absence of basic operational hygiene rather than an unavoidable attack. Cannot see every certificate in the estate? CertiNext CLM discovers, inventories, and auto-renews every certificate across clouds and networks, so no expiry ever reaches production unnoticed. Discovery: You Cannot Renew What You Cannot See Regaining control begins with discovery, and discovery has to be continuous rather than a one-off spreadsheet. Effective programmes combine several techniques. Network scanning sweeps IP ranges and ports to find certificates presented by live services. Integration-based discovery pulls certificate data directly from cloud providers, load balancers, and Kubernetes secret stores through their APIs. Certificate Transparency log monitoring catches externally issued certificates for owned domains that no internal team requested. Together these reveal the shadow certificates that manual tracking always misses. Discovery feeds an inventory, and the inventory is only useful if it is the single source of truth. Every certificate should carry its owner, expiry, key type, issuing authority, and the exact system it protects. This is the operational core of certificate lifecycle management, and it is what turns firefighting into a managed lifecycle. From Inventory to Automated Renewal A complete inventory removes surprise, but manual renewal still fails under scale and short lifespans. As public certificate lifetimes shorten toward a 47-day maximum, the number of renewals per year rises sharply and human tracking becomes impossible. The next step, therefore, is automation: renewal driven by protocol rather than by calendar reminders. Teams should move critical certificates onto automated certificate renewal with ACME so that issuance and installation happen without a human in the loop. Because so many of these certificates authenticate services rather than people, certificate governance and identity and access management are converging. The same platform that governs who can access a system should also govern which machines it trusts, and both depend on certificates that never silently expire. Buyers evaluating platforms can compare capabilities through a CLM platform comparison focused on discovery breadth and automation depth. The Bottom Line Certificate sprawl is a solved problem for organisations that treat certificates as governed assets rather than afterthoughts. Continuous discovery, a single authoritative inventory, and protocol-driven automated renewal remove the one failure mode that has repeatedly taken down some of the largest services in the world. The cost of doing this is modest; the cost of not doing it is measured in millions and in headlines. Tags: Certificate Lifecycle Management About the Author CertiNext Editorial CertiNext Editorial represents the collective voice of CertiNext, delivering expert insights on PKI modernization, crypto-agility, and the future of machine identity. Our team of PKI architects, security engineers, and digital trust specialists curates practical, in-depth content to help enterprises manage certificates at scale, eliminate outages, and prepare for the post-quantum era with confidence