Certificate lifecycle: Key generation → CSR (Certificate Signing Request) → CA verification → Issuance → Installation → Renewal → Revocation (if compromised).
Expired or improperly revoked certificates break services. CRL and OCSP handle revocation. Automate certificate renewal (Let's Encrypt / ACME protocol) to prevent expiry-related outages.