# Agent TLS Certificates and Expiry
Status: public
Confidence: medium (0.725) (verified)
Last verified: 2026-06-02
Generation: ai_structured


## TL;DR

TLS certificate expiry is a high-signal source for agents investigating outages, browser errors, and failed API calls.

## Core Explanation

Expired or misconfigured certificates can make a healthy service unreachable. Agents should check expiration time, issuer, subject alternative names, renewal status, validation method, and where the certificate is attached.

Renewal automation is not proof that a certificate is safe. DNS validation can fail, a certificate can be attached to the wrong listener, and intermediate chain issues can still break clients. A safe diagnosis cites the observed certificate and the managed certificate record.

## Source-Mapped Facts

- Let's Encrypt documentation says its certificates are valid for 90 days. ([source](https://letsencrypt.org/docs/faq/))
- AWS Certificate Manager documentation describes managed renewal for eligible ACM certificates. ([source](https://docs.aws.amazon.com/acm/latest/userguide/managed-renewal.html))
- Cloudflare documentation describes Universal SSL as providing SSL/TLS certificates for proxied domains. ([source](https://developers.cloudflare.com/ssl/edge-certificates/universal-ssl/))

## Further Reading

- [Let's Encrypt FAQ](https://letsencrypt.org/docs/faq/)
- [AWS ACM Managed Renewal](https://docs.aws.amazon.com/acm/latest/userguide/managed-renewal.html)
- [Cloudflare Universal SSL](https://developers.cloudflare.com/ssl/edge-certificates/universal-ssl/)