Invalid SSL Certificate: Causes & How to Fix

Jul 13, 2026
Updated Jul 13, 2026 SSL & TLS invalid ssl certificate ssl certificate invalid fix ssl certificate error certificate name mismatch

An invalid SSL certificate is one a browser refuses to trust, throwing a full-page warning like NET::ERR_CERT_AUTHORITY_INVALID or Your connection is not private instead of loading the site. The certificate exists, but something about it — its dates, its name, its issuer, or its chain — fails validation. This guide covers the common causes and how to fix each one.

What makes an SSL certificate invalid?

When a browser connects over HTTPS it checks the certificate against several rules from the X.509 standard (RFC 5280). If any check fails, the certificate is treated as invalid and the connection is blocked. Almost every case comes down to one of the causes below.

Common causes and how to fix them

CauseTypical errorFix
Expired certificateNET::ERR_CERT_DATE_INVALIDRenew the certificate. See how to renew.
Name mismatchERR_CERT_COMMON_NAME_INVALIDThe domain is not listed in the certificate's Subject Alternative Names. Reissue the certificate to include the exact hostname (including www if used).
Self-signed / untrusted issuerERR_CERT_AUTHORITY_INVALIDReplace with a certificate from a publicly trusted CA.
Incomplete chainunable to get local issuer certificateInstall the intermediate certificates. See the certificate chain.
Wrong system clockERR_CERT_DATE_INVALID on the clientA valid certificate looks expired or not-yet-valid if the device's clock is wrong. Fix the client's date and time.
Revoked certificateERR_CERT_REVOKEDThe CA revoked it (often after a key compromise). Reissue a new certificate.

How to diagnose an invalid certificate

# see the certificate's dates, subject and SANs
openssl s_client -connect example.com:443 -servername example.com | openssl x509 -noout -dates -subject -ext subjectAltName

For a plain-language report that names the exact problem — expired, mismatched, self-signed, or missing intermediates — run the domain through the free SSL certificate checker.

Name mismatch: the most common surprise

Modern browsers ignore the old Common Name field and validate the hostname only against the certificate's Subject Alternative Name (SAN) list. A certificate issued for example.com that does not also list www.example.com will be invalid on the www version of the site, and vice versa. When reissuing, include every hostname visitors actually use.

Related SSL guides

Two of the causes above have dedicated guides: the SSL certificate chain (for issuer errors) and renewing a certificate (for expiry). To stop expiry surprises before users see them, set up SSL certificate monitoring.

Frequently asked questions

Why does my certificate say invalid when it looks fine?

The two sneakiest causes are a missing intermediate (valid certificate, broken chain) and a wrong clock on the visitor's device (valid certificate, wrong "now"). Check the chain first, then the client's date.

Is a self-signed certificate invalid?

To the public it effectively is — no browser trusts it by default, so users get a warning. Self-signed certificates are fine for internal testing but not for a public site.

How do I fix a name mismatch error?

Reissue the certificate with every hostname you serve listed in the Subject Alternative Names, including both the bare domain and the www subdomain if you use it.

Scan for these vulnerabilities

Secably automatically detects the issues discussed in this article.

Start Free Scan