Troubleshooting Guides

Why Does My SSL Certificate Show as Not Trusted

Fix SSL certificate not trusted errors caused by expired certificates, self-signed certificates, missing intermediate chains, wrong hostnames or CDN SSL issues.

By CheckDomainHealth Editorial Team Reviewed by Dionis Ceban Updated Jun 28, 2026 9 min read Intermediate

Introduction

A “certificate not trusted” warning means the browser or client could not validate the SSL/TLS certificate presented by the server. This is different from a normal HTTP error because the secure connection fails during certificate validation, often before the page loads.

Common causes include expired certificates, self-signed certificates, missing intermediate chain files, hostname mismatch, wrong certificate installed on the active virtual host, CDN SSL misconfiguration, or CAA records blocking issuance. The fix depends on whether the problem is trust, expiry, chain completeness or hostname coverage.

Quick answer

Quick answer

If a certificate is not trusted, check expiry, issuer, hostname coverage, intermediate chain and whether the warning appears at the CDN edge or origin. Install the full certificate chain for a publicly trusted CA, renew expired certificates, replace self-signed certificates for public sites, and ensure the active hostname is listed in the certificate SAN names.

Certificate not trusted

Browsers trust certificates that chain to a recognized public root CA and match the hostname being visited. A warning appears when one of those requirements fails.

Expired certificate

The notAfter date has passed and the certificate is no longer valid.

Self-signed certificate

The certificate was signed by the server itself rather than a public CA.

Missing chain

Intermediate certificates were not installed, so clients cannot build a trusted path.

Hostname mismatch

The certificate does not include the exact hostname in the address bar.

CDN SSL issue

The edge or origin certificate at the CDN layer is invalid, expired or misconfigured.

Always test the exact hostname users visit, including root domain, www and important subdomains.

Why this matters

Why this matters

Untrusted certificates matter because visitors may abandon the site, browsers may block form submissions, APIs may fail, search engines may treat the site as insecure, and monitoring tools may report HTTPS failures even when HTTP appears reachable.

Trust warnings also reduce confidence in login pages, checkout flows and admin areas. Fixing the certificate path and hostname coverage restores normal HTTPS behavior.

How to check

Use SSL Checker, Website Status Checker and openssl s_client to inspect the live certificate served on the public hostname.

  1. Exact hostname — Test the URL shown in the browser address bar.
  2. Expiry dates — Confirm notBefore and notAfter are valid.
  3. Issuer — Check whether the certificate comes from a public CA or is self-signed.
  4. Subject and SAN names — Verify hostname coverage for root, www and subdomains.
  5. Certificate chain — Confirm intermediate certificates are sent by the server.
  6. CDN vs origin — Test public hostname and origin separately if a CDN is used.
  7. CAA records — Review whether DNS restricts which CA may issue certificates.
Check live certificate with OpenSSL
openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -subject -issuer -dates

Check certificate trust

Use SSL Checker to inspect expiry, issuer, hostname coverage, chain completeness and HTTPS response.

Run SSL Check →

Common problems

Expired certificate

High

The certificate notAfter date has passed.

Next step: Renew or reissue the certificate and reload the web server or CDN.

Self-signed certificate on a public site

High

The server uses a certificate not signed by a public CA.

Next step: Replace it with a certificate from a trusted CA such as Let's Encrypt or your provider.

Missing intermediate chain

High

The server sends only the leaf certificate, not the full chain.

Next step: Install fullchain.pem or the provider-supplied CA bundle on the server or CDN.

Hostname mismatch

High

Visitors open www.example.com but the certificate covers only example.com, or vice versa.

Next step: Reissue the certificate with the correct SAN names or redirect consistently.

Wrong certificate on active virtual host

High

An old or default certificate is served for the live site.

Next step: Check web server vhost, SNI and the certificate path configured for the domain.

CDN edge certificate invalid

High

The CDN presents an expired, pending or mismatched edge certificate.

Next step: Review CDN SSL/TLS settings and certificate status in the CDN dashboard.

CDN cannot validate origin certificate

Medium

The edge works, but strict origin validation fails because the origin cert is self-signed or expired.

Next step: Install a valid origin certificate or adjust CDN SSL mode appropriately.

Certificate renewed but old file still served

Medium

Renewal succeeded, but Nginx, Apache, LiteSpeed or the CDN still serves the previous certificate.

Next step: Reload the service and confirm the live file path matches the renewed certificate.

CAA record blocks issuance

Medium

DNS CAA records prevent the chosen CA from issuing a replacement certificate.

Next step: Review CAA records and allow the intended certificate authority.

Testing the wrong hostname

Low

The certificate is valid for one hostname but the warning appears on another subdomain.

Next step: Check SAN names and test every active public hostname separately.

How to fix trust issues

  1. Step 1: Test the public hostname

    Use SSL Checker and openssl s_client on the exact URL visitors use.

  2. Step 2: Check expiry and issuer

    Confirm the certificate is current and issued by the expected CA.

  3. Step 3: Verify hostname coverage

    Review Subject and SAN names for root, www and required subdomains.

  4. Step 4: Install the full chain

    Upload leaf plus intermediate certificates as fullchain or CA bundle.

  5. Step 5: Replace self-signed certificates

    Use a publicly trusted CA certificate for production websites.

  6. Step 6: Reload web server or CDN

    Apply the new certificate to the active vhost or edge configuration.

  7. Step 7: Check CDN/origin separately

    Fix edge and origin certificates independently if a CDN is involved.

  8. Step 8: Re-test externally

    Confirm browsers and SSL Checker show a trusted chain with no warnings.

Examples

Inspect certificate dates and issuer
openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -subject -issuer -dates
Show full certificate chain
openssl s_client -connect example.com:443 -servername example.com -showcerts </dev/null
Check SAN names
openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -ext subjectAltName
Example: missing intermediate chain
Browser warning:
NET::ERR_CERT_AUTHORITY_INVALID

OpenSSL issuer on live site:
issuer=CN = R3

Problem:
Intermediate certificate not sent by server.

Fix:
Install fullchain.pem instead of cert.pem only.
Example: CDN vs origin mismatch
Public hostname:
https://www.example.com  trusted edge certificate

Origin check:
https://origin.example.com  expired self-signed certificate

Problem:
Strict CDN-to-origin validation fails.

Fix:
Install valid origin certificate or adjust CDN SSL mode.

Examples are illustrative. Replace example.com with your real hostname and review your web server or CDN documentation before changing live certificates.

Frequently asked questions

Why does my browser say the certificate is not trusted?

The certificate may be expired, self-signed, missing an intermediate chain, issued for another hostname, or served from the wrong server or CDN layer.

Does an expired certificate always show “not trusted”?

Yes. Browsers and clients reject certificates after the notAfter date unless the client ignores expiry, which normal browsers do not do.

Can a missing intermediate certificate cause trust errors?

Yes. If the server does not send the full chain, clients may fail to build a trusted path to a public root CA.

Why does the certificate look valid in the hosting panel but not in the browser?

The panel may show the leaf certificate while the live site serves an old file, wrong virtual host, incomplete chain or CDN edge certificate.

Can a CDN cause a not trusted warning?

Yes. The CDN edge certificate, origin certificate or SSL mode may be misconfigured even when the origin panel looks correct.

Is a self-signed certificate ever trusted by browsers?

Not by default. Self-signed certificates are useful for internal testing but are not publicly trusted unless manually installed.

How do I confirm the fix worked?

Run SSL Checker and test the exact public hostname externally with a browser and openssl s_client.

Use these free tools to verify your configuration after applying changes.

Browse all Troubleshooting guides →

Need help applying this fix?

Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.

Get Help Run Domain Health Check

Was this guide helpful?

Your feedback helps us improve our guides for everyone.