- Track expirations actively. Each entity dashboard shows days-to-expiry. Renew at 30 days out, not the morning of.
- Renew before the tax authority's system goes down. Most authorities have planned maintenance windows. Don't renew in those windows.
- One person per entity owns credentials. Diffuse ownership is how credentials lapse. Name an owner in your operations docs.
- Test after every renewal. Issue a $1 test invoice. Stamping silently fails when password formats change.
- Never commit credentials to source control or shared drives. OMB Cloud stores them encrypted at rest. That's where they belong.
Best practices: credential hygiene
CSDs expire. Signature certificates expire. A blocked stamp on a Friday afternoon is avoidable.