Certificate expiry and trust patterns
Updated July 11, 2026. Based on 3,153 unique hostnames scanned by SecureMonk users between March 7, 2026 and July 11, 2026, latest scan per host.
Certificate expiration is the easiest preventable security incident. There is no judgment call, no false-positive risk, just a calendar. When a certificate lapses, the site stops working for every visitor on every modern browser at the same moment. Most organizations have a renewal story that works most of the time, and an embarrassing incident from the one time it did not. Here is what we see across the sample.
Expirations are rare, near-expirations are not
Of 3,095 hosts in the dataset, 17 (0.5%) currently serve expired certificates and 28 (0.9%) serve certificates from a CA that is not in the public trust store. Both numbers are small, and most of them belong to test or staging environments that operators have not gotten around to fixing.
The more interesting number is the near-misses. 84 sites (2.7%) have a certificate that expires in less than 30 days. 26 sites (0.8%) have one that expires in less than 14 days. With short-lived certificates becoming the norm, that window keeps shrinking, which means renewal automation matters more than ever.
The median validity is short
The median certificate in the dataset has 73 days remaining. The average is 106 days. Both numbers reflect a steady move toward shorter certificate lifetimes, driven by Let's Encrypt (90-day certs by default) and the broader industry push to limit the damage of a private key compromise.
If renewal is automated, short certificates are safer. If renewal is a calendar reminder, short certificates are a recurring fire drill.
Key algorithm split is now nearly even
1,568 sites (50.7%) serve RSA certificates and 1,527 (49.3%) serve ECDSA. Two years ago this would have been three quarters RSA. The shift is driven by Let's Encrypt offering ECDSA chains by default for accounts that request them, faster handshakes on mobile clients, and smaller signature payloads on every request.
There is no practical reason to prefer RSA for a new certificate today unless you have a specific client compatibility constraint.
OCSP stapling is still the exception
598 of 3,095 sites (19.3%) staple OCSP responses. The rest leave clients to query the CA's OCSP responder separately, which is slower, exposes visitor IPs to the CA, and fails open if the responder is down. The fix is one server-config directive on every modern web server.
Methodology
Same dataset as the other insights pieces. 3,153 unique hostnames scanned through SecureMonk between 2026-03-07 and 2026-07-11, latest scan per host. Certificate numbers come from the certificate the server presented at the time of the scan and reflect that single point in time, not the full set of certificates the operator might rotate through.