A recent outage at League of Legends is a good case study in both availability and certificate management, and how the one affects the other.
A few days ago League of Legends, the popular online gaming platform, experienced an outage that left large numbers of users unable to access the site.
The issue was finally tracked to an expired SSL certificate that the company hadn’t caught. The cert in question was self-signed, with an expiration date of January 6, 2026 – 10 years after its creation.
And this brings up a couple of issues.
The first issue is that Riot Games was using a self-signed cert with a 10-year expiration date. While this wasn’t all that unusual when it was issued, it’s concerning because that’s the same certificate for 10 years.
While 10-year certificates were more or less standard around 2012, today the standard is a little over a year, or 398 days. This is because SSL certificates are fundamental to secure communications, authentication and in cases like this, availability. As such, if a certificate becomes compromised it can lead to any number of issues and vulnerabilities for both the user and the platform.
Because SSL certificates are so critical, the time between renewals has steadily dropped over the years. In 2016, when Riot Games issued the first SSL certificate in question, 10 years was pretty standard. Today, the renewal interval is 398 days. Later in 2026 it will move to 200 days. And by 2029 the standard interval for certificate renewal will be down to 47 days. That’s right – every month and a half those certificates will need to be renewed.
Because Riot Games is using a self-signed cert, they can set the renewal period to whatever they want – in this case, they set the renewal for the new certificate to 100 years. Yikes.
