S
SSL Certificate Expiry

What Happens When an SSL Certificate Expires

The full timeline of an SSL certificate expiration: browser warnings, broken APIs, SEO impact, and lost revenue. What breaks and how fast.

Your SSL certificate just expired. Maybe you knew it was coming. Maybe you didn't. Either way, the damage starts immediately and compounds fast. Here's exactly what happens, how quickly things break, and what it takes to recover.

The Moment of Expiry: T+0

SSL certificates have a precise expiry timestamp, down to the second. The instant that timestamp passes, the certificate is no longer valid. Nothing dramatic happens on your server -- the certificate file is still there, your web server is still running, and your configuration hasn't changed. But every new connection attempt now involves a certificate that fails validation.

Your server doesn't know it's serving an expired certificate. It doesn't shut down or throw an error in your logs. It just keeps presenting the same certificate to every browser, API client, and webhook that connects. The problem is entirely on the client side -- and every client will react.

T+1 Minute: Browsers Start Blocking

Within seconds of expiry, every visitor to your site sees a full-page warning instead of your content.

Google Chrome displays "Your connection is not private" with error code NET::ERR_CERT_DATE_INVALID. The page is blocked by default. Users have to click "Advanced" and then "Proceed to [site] (unsafe)" to get through -- and most won't.

Firefox shows "Warning: Potential Security Risk Ahead" with a similar click-through option buried under "Advanced." The language is deliberately alarming.

Safari presents "This Connection Is Not Private" and offers to show details or go back. On iOS, the warning is even more prominent.

Mobile is worse

Mobile browsers on both iOS and Android make it significantly harder (or impossible) to bypass certificate warnings. Many mobile users will simply leave and never come back.

The key thing to understand: these aren't subtle indicators. They're full-screen, red-background, scary-language barriers that tell your visitors your site might be dangerous. Studies consistently show that 80-90% of users will leave immediately when they see a certificate warning.

T+5 Minutes: API Connections Fail

While browsers at least offer a click-through option, programmatic clients are much less forgiving. Most HTTP libraries, API clients, and webhook systems will outright refuse to connect to a server with an expired certificate.

Here's what breaks:

  • Webhooks from payment processors (Stripe, PayPal) stop delivering. You miss payment confirmations, refund notifications, and subscription updates.
  • API integrations with third-party services fail. Your CRM stops syncing. Your analytics pipeline breaks. Your monitoring tools can't reach your endpoints.
  • Mobile apps that pin certificates or validate them strictly will stop working entirely. Users see generic "connection error" messages with no explanation.
  • Server-to-server communication between your own microservices can fail if they validate certificates (and they should).

The silent failures

Many API failures won't produce obvious errors. A webhook that can't connect simply doesn't deliver its payload. You won't know you missed a Stripe event until a customer complains about a charge that wasn't processed.

T+1 Hour: Revenue Impact Begins

If you run any kind of e-commerce, SaaS, or lead generation site, the revenue impact is immediate. Every visitor who bounces from a certificate warning is a lost conversion. Every failed API call is a missed transaction.

For a site doing $10,000/day in revenue, even a few hours of downtime from an expired certificate can mean thousands of dollars in direct losses -- not counting the customers who never come back.

Email is affected too. If your mail server uses TLS (it should), an expired certificate can cause delivery failures. Other mail servers may refuse to establish encrypted connections, meaning your emails bounce or get silently dropped.

T+24 Hours: Google Notices

Google's crawlers are constantly checking your site. When they encounter a certificate error, a few things happen:

  1. Crawling slows or stops. Googlebot won't crawl pages it can't securely access.
  2. Search Console flags the issue. You'll see security warnings in Google Search Console, but only if you check it.
  3. Rankings begin to drop. HTTPS is a ranking signal. An invalid certificate doesn't just remove that signal -- it actively harms your position because Google treats it as a security issue.

The SEO damage isn't instant, but it accumulates. A few hours of an expired certificate probably won't tank your rankings. A few days definitely will. And recovering your search position takes far longer than fixing the certificate.

Don't wait for Google to notice

Get alerts 30, 14, 7, and 3 days before your certificates expire.

T+48 Hours and Beyond: Compounding Damage

The longer an expired certificate sits, the worse it gets:

  • Customer trust erodes. Even after you fix the certificate, users who saw the warning may not trust your site again.
  • HSTS makes it worse. If you've enabled HTTP Strict Transport Security (which you should have), browsers won't even let users click through the warning. There's no bypass. Your site is completely inaccessible.
  • Certificate Transparency logs record the expiry. Security researchers and automated tools flag your domain. This can affect your reputation with security-conscious customers and partners.
  • Compliance violations may trigger. PCI DSS, HIPAA, and SOC 2 all require valid encryption. An expired certificate could put you out of compliance.

Famous Examples

SSL certificate expirations have taken down some of the biggest names in tech:

  • Microsoft Teams went down in February 2020 because of an expired certificate, affecting millions of users during work hours.
  • Equifax had an expired certificate on a security monitoring tool, which contributed to their massive 2017 data breach going undetected for months.
  • LinkedIn experienced an expired certificate on a subdomain that broke integrations and third-party login flows.

These aren't small companies with small IT teams. Certificate expiry is a problem that hits everyone.

The Recovery Process

Fixing an expired certificate isn't as simple as clicking a button. Here's the typical recovery timeline:

1

Obtain a new certificate

If you use Let's Encrypt or a similar automated CA, you can reissue in minutes. If you use a paid certificate with OV or EV validation, it could take hours or days.

2

Install the new certificate

Upload to your server, update your web server configuration, and restart the service. On a single server this takes minutes. Across a fleet of load balancers and CDN nodes, it takes longer.

3

Verify the chain

Make sure the full certificate chain is correctly installed. A common mistake during rushed certificate replacements is forgetting the intermediate certificate, which causes its own set of errors.

4

Wait for propagation

CDN caches, browser caches, and DNS caches all need to pick up the new certificate. This can take minutes to hours depending on your infrastructure.

5

Clear cached errors

Some clients cache certificate errors aggressively. Users may need to clear their browser cache. HSTS-pinned browsers may refuse to connect until the cached error expires.

Total recovery time: anywhere from 15 minutes (best case with automation) to several days (worst case with manual OV/EV certificates and complex infrastructure).

Prevention: The Only Real Fix

The only reliable way to avoid the cascade of problems from an expired SSL certificate is to know about it before it happens. That means monitoring.

Auto-renewal helps, but it's not bulletproof. DNS changes, hosting migrations, permission issues, and rate limits can all cause auto-renewal to fail silently. You need a system that checks your actual live certificates and alerts you with enough lead time to fix problems before they become outages.

A monitoring cadence of 30, 14, 7, 3, and 1 day before expiry gives you multiple chances to catch and fix issues. The first alert is a gentle reminder. The last one is an emergency.

Related Articles

Related Articles

An expired SSL certificate is a ticking time bomb. The only question is whether you'll defuse it before or after the damage is done.

Never miss an SSL certificate expiry

Monitor your certificates and get alerts before they expire. Free for up to 3 certificates.