Why Does My SSL Certificate Show as Not Trusted
Fix SSL certificate not trusted errors caused by expired certificates, self-signed certificates, missing intermediate chains, wrong hostnames or CDN SSL issues.
Introduction
A “certificate not trusted” warning means the browser or client could not validate the SSL/TLS certificate presented by the server. This is different from a normal HTTP error because the secure connection fails during certificate validation, often before the page loads.
Common causes include expired certificates, self-signed certificates, missing intermediate chain files, hostname mismatch, wrong certificate installed on the active virtual host, CDN SSL misconfiguration, or CAA records blocking issuance. The fix depends on whether the problem is trust, expiry, chain completeness or hostname coverage.
Quick answer
If a certificate is not trusted, check expiry, issuer, hostname coverage, intermediate chain and whether the warning appears at the CDN edge or origin. Install the full certificate chain for a publicly trusted CA, renew expired certificates, replace self-signed certificates for public sites, and ensure the active hostname is listed in the certificate SAN names.
Certificate not trusted
Browsers trust certificates that chain to a recognized public root CA and match the hostname being visited. A warning appears when one of those requirements fails.
Expired certificate
The notAfter date has passed and the certificate is no longer valid.
Self-signed certificate
The certificate was signed by the server itself rather than a public CA.
Missing chain
Intermediate certificates were not installed, so clients cannot build a trusted path.
Hostname mismatch
The certificate does not include the exact hostname in the address bar.
CDN SSL issue
The edge or origin certificate at the CDN layer is invalid, expired or misconfigured.
Always test the exact hostname users visit, including root domain, www and important subdomains.
Why this matters
Untrusted certificates matter because visitors may abandon the site, browsers may block form submissions, APIs may fail, search engines may treat the site as insecure, and monitoring tools may report HTTPS failures even when HTTP appears reachable.
Trust warnings also reduce confidence in login pages, checkout flows and admin areas. Fixing the certificate path and hostname coverage restores normal HTTPS behavior.
How to check
Use SSL Checker, Website Status Checker and openssl s_client to inspect the live certificate served on the public hostname.
- Exact hostname — Test the URL shown in the browser address bar.
- Expiry dates — Confirm notBefore and notAfter are valid.
- Issuer — Check whether the certificate comes from a public CA or is self-signed.
- Subject and SAN names — Verify hostname coverage for root, www and subdomains.
- Certificate chain — Confirm intermediate certificates are sent by the server.
- CDN vs origin — Test public hostname and origin separately if a CDN is used.
- CAA records — Review whether DNS restricts which CA may issue certificates.
openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -subject -issuer -dates
Check certificate trust
Use SSL Checker to inspect expiry, issuer, hostname coverage, chain completeness and HTTPS response.
Common problems
Expired certificate
HighThe certificate notAfter date has passed.
Next step: Renew or reissue the certificate and reload the web server or CDN.
Self-signed certificate on a public site
HighThe server uses a certificate not signed by a public CA.
Next step: Replace it with a certificate from a trusted CA such as Let's Encrypt or your provider.
Missing intermediate chain
HighThe server sends only the leaf certificate, not the full chain.
Next step: Install fullchain.pem or the provider-supplied CA bundle on the server or CDN.
Hostname mismatch
HighVisitors open www.example.com but the certificate covers only example.com, or vice versa.
Next step: Reissue the certificate with the correct SAN names or redirect consistently.
Wrong certificate on active virtual host
HighAn old or default certificate is served for the live site.
Next step: Check web server vhost, SNI and the certificate path configured for the domain.
CDN edge certificate invalid
HighThe CDN presents an expired, pending or mismatched edge certificate.
Next step: Review CDN SSL/TLS settings and certificate status in the CDN dashboard.
CDN cannot validate origin certificate
MediumThe edge works, but strict origin validation fails because the origin cert is self-signed or expired.
Next step: Install a valid origin certificate or adjust CDN SSL mode appropriately.
Certificate renewed but old file still served
MediumRenewal succeeded, but Nginx, Apache, LiteSpeed or the CDN still serves the previous certificate.
Next step: Reload the service and confirm the live file path matches the renewed certificate.
CAA record blocks issuance
MediumDNS CAA records prevent the chosen CA from issuing a replacement certificate.
Next step: Review CAA records and allow the intended certificate authority.
Testing the wrong hostname
LowThe certificate is valid for one hostname but the warning appears on another subdomain.
Next step: Check SAN names and test every active public hostname separately.
How to fix trust issues
-
Step 1: Test the public hostname
Use SSL Checker and openssl s_client on the exact URL visitors use.
-
Step 2: Check expiry and issuer
Confirm the certificate is current and issued by the expected CA.
-
Step 3: Verify hostname coverage
Review Subject and SAN names for root, www and required subdomains.
-
Step 4: Install the full chain
Upload leaf plus intermediate certificates as fullchain or CA bundle.
-
Step 5: Replace self-signed certificates
Use a publicly trusted CA certificate for production websites.
-
Step 6: Reload web server or CDN
Apply the new certificate to the active vhost or edge configuration.
-
Step 7: Check CDN/origin separately
Fix edge and origin certificates independently if a CDN is involved.
-
Step 8: Re-test externally
Confirm browsers and SSL Checker show a trusted chain with no warnings.
Examples
openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -subject -issuer -dates
openssl s_client -connect example.com:443 -servername example.com -showcerts </dev/null
openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -ext subjectAltName
Browser warning:
NET::ERR_CERT_AUTHORITY_INVALID
OpenSSL issuer on live site:
issuer=CN = R3
Problem:
Intermediate certificate not sent by server.
Fix:
Install fullchain.pem instead of cert.pem only.
Public hostname:
https://www.example.com → trusted edge certificate
Origin check:
https://origin.example.com → expired self-signed certificate
Problem:
Strict CDN-to-origin validation fails.
Fix:
Install valid origin certificate or adjust CDN SSL mode.
Examples are illustrative. Replace example.com with your real hostname and review your web server or CDN documentation before changing live certificates.
Frequently asked questions
Why does my browser say the certificate is not trusted?
The certificate may be expired, self-signed, missing an intermediate chain, issued for another hostname, or served from the wrong server or CDN layer.
Does an expired certificate always show “not trusted”?
Yes. Browsers and clients reject certificates after the notAfter date unless the client ignores expiry, which normal browsers do not do.
Can a missing intermediate certificate cause trust errors?
Yes. If the server does not send the full chain, clients may fail to build a trusted path to a public root CA.
Why does the certificate look valid in the hosting panel but not in the browser?
The panel may show the leaf certificate while the live site serves an old file, wrong virtual host, incomplete chain or CDN edge certificate.
Can a CDN cause a not trusted warning?
Yes. The CDN edge certificate, origin certificate or SSL mode may be misconfigured even when the origin panel looks correct.
Is a self-signed certificate ever trusted by browsers?
Not by default. Self-signed certificates are useful for internal testing but are not publicly trusted unless manually installed.
How do I confirm the fix worked?
Run SSL Checker and test the exact public hostname externally with a browser and openssl s_client.
Related tools
Use these free tools to verify your configuration after applying changes.
Related guides
Browse all Troubleshooting guides →Need help applying this fix?
Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.
Was this guide helpful?
Your feedback helps us improve our guides for everyone.
Thanks for your feedback!