Why did my locked certificate move to the Destroyed state?

You have an SSL/TLS certificate that you manage in IBM Cloud® Secrets Manager, but it still expires even though it is locked.

You want to prevent an SSL/TLS certificate in your Secrets Manager service instance from expiring, so you attach one or more locks to it. But, when your certificate reaches its expiration date, it still moves to the Destroyed state.

A lock on an SSL/TLS certificate can prevent you or an authorized user from deleting the certificate from your instance, for example during a security audit. But, a lock can't prevent a certificate from reaching its defined expiration date.

The validity period of an X.509 certificate can't be changed or modified, even if the certificate is associated with one or more locks in Secrets Manager. When your certificate passes its defined expiration date, it is no longer valid. In Secrets Manager, a secret that is no longer valid moves to the Destroyed state.

To avoid downtime in your applications that results from an expired certificate, be sure to set up Event Notifications to alert you when certificates are about to expire. Then, rotate your certificates and deploy the new versions to your SSL/TLS termination points. For suggested guidelines around periodic rotation of certificates, see Best practices for rotating and locking secrets.