To fix an expired SSL certificate, renew or reissue it with your hosting provider or certificate authority, install the new certificate with its full chain, and restart/reload your web server. Then set up auto-renewal and monitoring so it never expires again. Re-scan to confirm.
An expired certificate triggers a full-page browser warning that blocks most visitors. The fix is to renew and reinstall it, ideally with automation so it cannot recur. This guide covers renewal on the main platforms plus how to prevent repeat expiries.
Check your website
See how your site handles how to fix an expired ssl certificate — free, no account needed.
Business impact
An expired certificate is one of the most damaging, avoidable outages: browsers warn every visitor that your site is not secure, and most leave immediately. Renewing promptly restores trust and sales, and adding monitoring ensures this never silently happens again.
Why this happens
Certificates have fixed lifetimes (often 90 days for automated CAs, up to a year otherwise). Expiry happens when auto-renewal is not set up, or when it silently fails — commonly due to a DNS or firewall change breaking domain validation, or a manual renewal that was forgotten. The fix is renewal plus reliable automation and monitoring.
How to confirm the issue
Manually: click the padlock/warning in the browser and view the certificate's validity dates, or run echo | openssl s_client -connect yoursite.com:443 | openssl x509 -noout -dates.
With Plexa Trust: the scan reports "SSL Certificate Expired" (or Expiring Soon). Re-scan after renewal to confirm.
Step-by-step fix
Renew or reissue the certificate with your host or certificate authority.
Install the new certificate with its full chain (leaf + intermediates).
Reload or restart the web server so it serves the new certificate.
Enable automated renewal (ACME/Let's Encrypt or your host's auto-renew).
Add certificate monitoring so you are alerted well before future expiry.
Re-scan to confirm the certificate is valid.
Platform-specific fixes
cPanel / Shared hosting
Open SSL/TLS or the AutoSSL section.
Renew or run AutoSSL for the domain; most hosts reinstall automatically.
Confirm the new expiry date shows in the panel.
Let's Encrypt (Certbot)
Run
sudo certbot renewto renew all certificates.If it fails, check DNS/HTTP validation and firewall rules, then retry.
Reload the web server:
sudo systemctl reload nginx(or apache2).Add a cron job / timer so renewal runs automatically.
Cloudflare
If using Cloudflare's edge certificate, it renews automatically — check SSL/TLS → Edge Certificates.
For the origin certificate, reissue it under Origin Server and reinstall on your server.
AWS (ACM)
ACM auto-renews certificates that use DNS validation with a valid CNAME.
Ensure the validation CNAME still exists in Route 53/DNS; add it if missing.
How to verify the fix
Automate renewal so expiry cannot recur.
Always install the full chain to avoid "untrusted" errors.
Add certificate monitoring with alerts at 30/14/7 days, and re-scan to confirm.
Common mistakes
Renewing but forgetting to reload the server, so the old cert is still served.
Installing the leaf certificate without intermediates (causes trust errors).
Relying on manual renewal with no monitoring.
Frequently asked questions
Why did my certificate expire?
Usually because auto-renewal was not set up, or it failed silently after a DNS or firewall change broke domain validation.
How fast can I fix it?
Often within minutes using automated renewal or your host's panel, plus a server reload. DNS-validated reissues can take a little longer.
Why does it still show expired after renewing?
The web server is probably still serving the old certificate. Reload or restart it, and confirm you installed the new file in the right location.
What is the certificate chain?
Your leaf certificate plus intermediate certificates that link it to a trusted root. Missing intermediates cause "not trusted" errors on some devices.
How do I stop this happening again?
Enable automated renewal and add certificate monitoring that alerts you weeks before expiry.
Do Let's Encrypt certificates renew automatically?
They can, via Certbot's timer or your host, but renewal can fail silently — monitoring is still recommended as a safety net.
Will visitors be affected during renewal?
If the certificate is already expired, they see warnings until you reinstall. Renew before expiry to avoid any downtime.
How do I confirm it worked?
Re-scan with Plexa Trust and check the padlock; the "SSL Certificate Expired" finding should clear and show a future expiry date.
Think you've fixed it?
Run a free scan to verify the issue is resolved. Upgrade to Pro on Plexa Trust for the full audit, monitoring alerts, and score history.
Verify with a free scan