Introduction

A certificate not trusted warning means the browser or client does not accept the certificate chain your site is presenting. The leaf certificate may be expired, mismatched, self-signed, chained incorrectly, or simply not the one you thought you deployed. The fix is to inspect the exact certificate path being served and replace the untrusted piece, not just reissue certificates blindly.

Symptoms

  • Browsers show a certificate not trusted or connection not private warning
  • Some clients fail while others still connect, especially behind enterprise filtering or older devices
  • HTTPS recently changed, but trust warnings remain
  • The warning affects one hostname, one environment, or one edge location more than others
  • External SSL tests show chain, hostname, or issuer trust problems

Common Causes

  • The certificate is expired, self-signed, revoked, or issued for the wrong hostname
  • The intermediate chain is missing or incorrect
  • A stale load balancer, CDN, or proxy still serves an older certificate
  • The certificate was deployed to one layer but not every TLS termination point
  • A private or internal CA certificate is being exposed to public browsers unintentionally

Step-by-Step Fix

  1. Inspect the exact certificate and chain that the public hostname serves, including serial number, issuer, SANs, and expiry.
  2. Check whether the hostname on the warning matches the certificate names actually presented to clients.
  3. Verify that the full intermediate chain is installed correctly and that the server is not presenting an incomplete bundle.
  4. Compare every TLS termination point in the delivery path, including CDN, load balancer, reverse proxy, and origin if applicable.
  5. Replace or redeploy any stale certificate copy so all entry points serve the same trusted certificate set.
  6. If the site uses an internal PKI, confirm that it is only used where clients already trust that CA and not on public-facing routes.
  7. Clear SSL state or configuration caches on the relevant platform if certificate changes do not appear immediately.
  8. Retest with an external checker and multiple browsers to confirm the warning is gone for the real public path.
  9. Document certificate ownership and renewal scope so future replacements cover every hostname and proxy layer consistently.