Introduction: Expiration Is More Than a Warning
When an SSL certificate expires, browsers may block access or show “Not Secure / Untrusted” warnings. This can disrupt critical flows such as login, payments, callbacks, and APIs. The key is to follow a clear order: recover trust quickly, complete renewal/replacement deployment, then prevent recurrence with monitoring.
1) Stop the bleeding: restore trusted HTTPS fast
Confirm the impact
- Check whether the expired certificate covers all required domains/subdomains (SAN, wildcard, multi-domain bundles).
- Verify certificate deployment on the real Internet-facing entry layer (reverse proxy, gateway, load balancer), not only the application server.
Fast recovery options
- If you still have a previously valid certificate, roll back immediately and restart services.
- Verify whether it is a chain issue (missing intermediate certificates). Deploy the full chain: server/leaf cert + intermediate certs.
- If needed, use a temporary strategy (e.g., maintenance window) while the official renewal is in progress.
2) Renewal / Replacement: run the standard workflow
1. Review certificate scope and decide strategy
- List all domains covered by the certificate.
- Decide whether to keep the private key. If the key is unavailable or you need to change parameters/algorithm, you likely need a new CSR.
2. Generate CSR / Submit renewal to the CA
Submit a renewal or re-issuance request to your CA and complete domain validation (DNS/HTTP/email as required). Ensure the CSR matches your exact domain list and subject details.
3. Download the certificate bundle (including the full chain)
Deploy both the leaf/server certificate and the intermediate chain. A common cause of “the certificate was replaced but it still fails” is an incomplete chain configuration.
4. Deploy and restart services
- Configure the correct paths for certificate, key, and chain files on Nginx/Apache/IIS (and any gateway layer).
- In multi-layer architectures, replace the certificate where external traffic terminates first.
5. Verify the result
- Check validity dates and trust chain in the browser.
- Use SSL Labs or handshake checks to confirm there are no remaining errors.
- Check mixed content to keep the security experience fully consistent.
3) Prevention: turn expiration into a managed process
- Monitoring & alerts: start at least 30 days ahead; use multi-level reminders (90/60/30/7 days) for safety.
- Private key backups & change logs: store private keys securely and document where the certificate is deployed and how services are restarted.
- Automated renewal: for supported scenarios, automate renewal to reduce human error.
Conclusion: faster recovery, fewer incidents
Handle certificate expiration with a repeatable process: emergency recovery, renewal deployment, full-chain verification, and monitoring to prevent recurrence. If you want to speed up CSR preparation, renewal guidance, and installation troubleshooting, visit our certificate management, online apply, and installation guide, or contact technical support for help.