Search guides

Fix a certificate that is expired

We'll confirm the expiry date, rule out clock issues, verify the chain and CA trust, then renew or replace the certificate—or tell you when to contact the party that manages it.

Troubleshooting · Home maintenance
10–30 min
What you'll need
  • Access to the server or hosting dashboard (if you manage the cert)
  • openssl (command-line, for inspection)
  • certbot (optional, for Let's Encrypt)
Step 1 of 7

Quick triage — pick your path

Quick triage — pick your path

Choose the option that matches what you see. You can jump straight to that section.

Show full guide

Confirm expiry and clock

Goal: Verify the certificate is actually expired and rule out system clock issues.

  • Click the padlock or warning in the address bar and view certificate details. Note “Valid from” and “Valid to.”
  • Or run openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -dates. You should see notBefore and notAfter; if today is past notAfter, the cert is expired.
  • Check the system clock. A wrong date can make a valid cert appear expired. Linux: date. Windows: Settings > Time & language. Sync with NTP if needed.
  • Good: Clock is correct and cert is expired—proceed to Verify chain and CA. Bad: Clock was wrong—fix it, retest.

Verify chain and CA trust

Goal: Ensure the certificate chain is complete and the CA is trusted.

  • Run openssl s_client -connect example.com:443 -servername example.com -showcerts 2>/dev/null. Inspect the chain—each cert should be signed by the next. Missing intermediates cause trust errors.
  • Check verify return code: openssl s_client -connect example.com:443 -servername example.com 2>&1 | grep -i "verify return code". Code 0 means OK. Non-zero means chain or trust issue.
  • Good: Full chain and verify return code 0. Bad: Broken chain—install full chain from your CA. See fix-ssl-shows-error for cert mismatch.

Renew with Let’s Encrypt

Goal: Renew a Let’s Encrypt certificate using certbot.

  • Run certbot renew (or certbot certonly for manual). Certbot handles chain and renewal.
  • Restart or reload the web server after renewal: systemctl reload nginx or systemctl reload apache2.
  • Good: “Congratulations” or “Certificate not yet due for renewal.” No expiry errors in the browser. Bad: Rate limit, DNS, or validation error—capture output, contact support.

Renew through CA or host

Goal: Renew a certificate from a commercial CA or hosting provider.

  • Log into your CA portal or hosting dashboard. Follow their renewal flow.
  • Download the new certificate and full chain. Install to your server (paths vary by server software). Reload the web server.
  • Good: New expiry date in the browser, no warnings. Bad: Renewal fails—capture error, contact CA or host support.

Replace self-signed

Goal: Generate and install a new self-signed certificate for internal use.

  • Run openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes. Install cert and key; reload the server.
  • Browsers will still warn (self-signed)—acceptable for local use only. For public sites, use a trusted CA.

Escalate

Goal: Know when to hand off.

  • If a third party owns the site, contact them—you cannot renew their cert.
  • If renewal fails (rate limits, DNS, validation), capture the exact error output and steps tried. Contact your CA or host support.

Verification

  • The certificate shows a future expiry date in the browser or openssl x509 -noout -dates.
  • No “expired” or “not secure” warnings when visiting the site.
  • openssl s_client shows verify return code 0 (ok).

Escalation ladder

Work from the device outward. Stop when the problem is fixed.

  1. Confirm expiry Check expiry date in browser or with openssl; rule out wrong system clock.
  2. Verify chain and CA Inspect chain with openssl s_client -showcerts; confirm CA is trusted.
  3. Renew certificate Use certbot (Let's Encrypt), CA portal, or host dashboard to renew.
  4. Replace self-signed Generate new self-signed cert for internal use.
  5. Escalate Contact third party or CA/host support with error output and steps tried.

What to capture if you need help

Before calling support or posting for help, have these ready. It speeds everything up.

  • Expiry date (notBefore, notAfter) from openssl or browser
  • System clock (date command or OS settings)
  • openssl s_client -showcerts output (chain)
  • Verify return code from openssl
  • Who manages the cert (you, host, third party)
  • Exact error message if renewal fails

Does the browser or tool report the certificate as expired?

Check the padlock or warning in the address bar, or run openssl x509 -noout -dates on the cert.

Click the padlock or warning and view certificate details. Or run openssl s_client -connect HOST:443 -servername HOST 2>/dev/null | openssl x509 -noout -dates. Good: you see notBefore/notAfter; today past notAfter means expired. Bad: unclear—capture the exact error.

Yes No

You can change your answer later.

Is the system clock correct?

A wrong date can make a valid cert appear expired.

Check date and time on your computer. Linux: date. Windows: Settings > Time & language. Sync with NTP if wrong. Good: clock is correct. Bad: clock was wrong—fix it, retest the site.

Yes No

You can change your answer later.

Fix clock and retest

Correct the system date and time. Sync with NTP. Retest the site. If the error persists, the cert is actually expired—proceed to determine who manages it.

Done

Do you manage the certificate?

You manage it if you run the server or have access to the hosting dashboard. A third party manages it if it is their site (bank, SaaS).

Determine who can renew: you (server/host access), your host (dashboard), or a third party. You manage: proceed to renew. Third party: contact them—you cannot renew their cert.

Yes No (third party)

You can change your answer later.

Use Let''s Encrypt or another CA?

Let's Encrypt uses certbot. Commercial CAs and hosts have their own renewal flow.

Let's Encrypt: run certbot renew, reload web server. CA or host: follow their renewal flow, install new cert and chain, reload. Self-signed: generate new with openssl req -x509, install, reload. See Renew with Let's Encrypt or Renew through CA or host.
Question

Renewal path chosen?

Done

Contact the party that manages the cert

You cannot renew a third party's certificate. Contact the site owner, hosting provider, or support. Provide the URL and that the certificate is expired. They must renew on their side.

Done

Check chain and CA trust

If not "expired," the error may be chain or trust. See fix-ssl-shows-error.

The cert may have a chain or trust issue. Run openssl s_client -connect HOST:443 -showcerts. Check verify return code. See fix-ssl-shows-error for browser errors and cert mismatch.

Done

Reviewed by Blackbox Atlas

Frequently asked questions

Why does my browser say the certificate is expired?
The certificate has passed its validity period (notBefore/notAfter). Check the system clock first—a wrong date can cause false expiry. If the clock is correct, the cert must be renewed by whoever manages it (you, your host, or a third party).
Can I fix an expired certificate myself?
Yes, if you control the server or site. Use certbot for Let's Encrypt, or renew through your CA or hosting provider. If a third party (e.g. SaaS, bank) owns the site, you cannot renew—contact them.
What if the certificate chain is broken?
A broken chain means intermediate certs are missing or wrong. Install the full chain from your CA (certificate + intermediates). Browsers need the full chain to validate. Use openssl s_client -showcerts to inspect.

Rate this guide

Was this helpful?

Continue to