Error Guides

SSL Certificate Expired Error Explained

An expired SSL certificate causes browser warnings and breaks HTTPS. Learn what causes certificate expiry, how to diagnose it, and how to prevent it.

An SSL certificate expired error occurs when a certificate's Not After date has passed. All TLS certificates have a fixed validity period — public certificates are currently limited to 398 days maximum by CA/Browser Forum rules. After this date, browsers refuse to accept the certificate and display a warning that prevents users from accessing the site.

What the Error Looks Like

  • Chrome: "Your connection is not private" with error code NET::ERR_CERT_DATE_INVALID
  • Firefox: "Warning: Potential Security Risk Ahead" with error code SEC_ERROR_EXPIRED_CERTIFICATE
  • Safari: "This Connection Is Not Private" — Safari certificate has expired.

How to Diagnose the Issue

Paste the certificate into the decoder. The Validity Period section will show the Not After date in red with an "Expired" status if the certificate has passed its expiry date. You can also use the command line:

openssl s_client -connect yourdomain.com:443 </dev/null 2>/dev/null | openssl x509 -noout -dates

Common Causes

  • Auto-renewal failed silently: Your ACME client (Certbot, etc.) failed to renew and no alert was sent
  • Manual renewal overlooked: Commercial certificate renewal is a manual step with a deadline
  • Server provisioning error: New server deployment used an old cert file
  • Multiple certificate sources: A load balancer or CDN served a different cert than the one you renewed

How to Fix It

  1. Renew the certificate from your CA (Let's Encrypt: certbot renew --force-renewal)
  2. Deploy the new certificate to all servers and load balancers
  3. Restart or reload the web server/proxy (nginx -s reload, systemctl reload apache2)
  4. Verify with the decoder that the new cert is live with the correct expiry

How to Prevent It

  • Use automated ACME-based renewal (Let's Encrypt with Certbot, Caddy, or Traefik)
  • Set calendar reminders 30 and 7 days before expiry for manually-renewed certs
  • Set up monitoring (Uptime Robot, Datadog, Prometheus) to alert on expiring certificates
  • The decoder result page shows days remaining — bookmark your cert's result page for quick checks

Ready to inspect a certificate?

Use the free decoder to decode any PEM certificate and see all fields including sans, fingerprints, validity dates, and extensions.

Decode a Certificate