What to Check When an SSL Certificate Looks Broken
HTTPS failures can come from expired certificates, missing intermediates, hostname mismatches, DNS changes, or a deployment that served the wrong certificate. A quick checklist makes the problem less mysterious.
Check the hostname first
Certificates are issued for specific names. If the certificate does not match the hostname users visit, browsers will warn even if the certificate is otherwise valid. Check both the root domain and the www or subdomain version.
Look at expiry before anything else
Expired certificates are common and easy to miss until users report errors. Track the expiration date and renew early enough that DNS, deployment, and CDN propagation do not create a last-minute incident.
Verify the certificate chain
A certificate can be valid but still fail if the intermediate chain is incomplete. Some clients are forgiving, while others are strict. Chain problems often appear after moving hosting providers or changing CDN settings.
Remember DNS and hosting layers
If a domain points to the wrong service, that service may present a certificate for a different project. After DNS changes, check the resolved target and confirm the host is attached to the right deployment.
Document the fix
Certificate issues are recurring operational tasks. After fixing one, document the renewal path, owner, provider, and expected alerting so the same issue is easier to solve next time.
Try the related tool
Open SSL Checker to apply this workflow in your browser.