SSL Certificate Expired? What It Means and How to Fix It

Q: Will an expired SSL certificate affect my Google rankings?

Yes. Google has used HTTPS as a ranking signal since 2014. An expired certificate means your site effectively loses its HTTPS status — browsers block the page or show warnings, which increases bounce rate. Both the direct ranking signal loss and the spike in user abandonment can cause your search positions to drop.

Q: Can I get a free SSL certificate?

Yes. Let's Encrypt is a widely trusted certificate authority that issues free domain-validated SSL/TLS certificates. Many hosting providers also bundle free SSL certificates through Let's Encrypt or other partnerships. Free certificates provide the same level of encryption as paid ones.

Q: How often do SSL certificates need to be renewed?

Most commercial SSL certificates are valid for up to 398 days (roughly 13 months). Let's Encrypt certificates are valid for 90 days. The industry is moving toward shorter validity periods — Apple and Google have both pushed for 90-day maximums — so automated renewal is becoming increasingly important.

Updated March 2026 · 8 min read

In this guide

What Is an SSL Certificate?
What Happens When Your SSL Certificate Expires
Why SSL Certificates Expire
How to Check Your SSL Certificate Expiry Date
How to Renew Your SSL Certificate
How to Set Up Auto-Renewal
How GuardHound Prevents SSL Surprises
Frequently Asked Questions

If you are reading this because your site is already showing a security warning, take a breath. An expired SSL certificate is stressful, but it is also one of the most fixable problems in web security. This guide will walk you through exactly what is happening, why it happened, and how to resolve it as quickly as possible.

What Is an SSL Certificate?

An SSL/TLS certificate is a small data file that creates an encrypted connection between your web server and your visitors' browsers. When a certificate is active and valid, your site loads over HTTPS, and browsers display a padlock icon in the address bar. That padlock tells visitors two things: the connection is encrypted so data cannot be intercepted in transit, and the site has been verified to belong to the domain it claims to be.

SSL certificates protect everything from login credentials and credit card numbers to simple form submissions. They are a foundational layer of trust on the modern web, and every public-facing website is expected to have one. Search engines, browsers, and payment processors all treat a valid SSL certificate as a baseline requirement rather than an optional extra.

What Happens When Your SSL Certificate Expires

When your SSL certificate passes its expiration date, the consequences are immediate and visible. Nothing breaks silently in the background. Instead, your visitors are confronted with full-screen browser warnings that are specifically designed to look alarming.

Immediate impact of an expired certificate

Chrome displays a full-page warning: "Your connection is not private" with error code NET::ERR_CERT_DATE_INVALID. Firefox shows "Warning: Potential Security Risk Ahead." Safari warns that the connection is not private. In every case, the browser blocks access to your site by default.

Here is what that means in practice:

Visitors cannot reach your site. Browsers hide your content behind a warning page. Users must manually click through multiple steps to proceed, and most will not. Studies consistently show that more than 85% of visitors will leave rather than bypass a certificate warning.
Search rankings can drop. Google has treated HTTPS as a ranking signal since 2014. An expired certificate effectively removes your site from HTTPS status. The resulting spike in bounce rate sends additional negative signals to search engines.
Payment processing stops. PCI DSS compliance requires a valid SSL certificate. If your certificate expires, payment gateways will refuse to process transactions, meaning your checkout is completely broken.
API integrations break. Any service that connects to your domain over HTTPS will start throwing certificate errors. Webhooks, third-party scripts, mobile apps that call your API, and partner integrations will all fail.
Customer trust is damaged. Even after you fix the certificate, some visitors who saw the warning may hesitate to return. The phrase "not secure" sticks in people's minds, especially for ecommerce and financial services sites.
Email delivery can be affected. If your mail server uses the same certificate, encrypted email connections (STARTTLS) may fail, causing delivery delays or bounces.

The severity scales with every minute the certificate remains expired. For businesses, an expired certificate during business hours can mean lost revenue measured in the thousands of dollars per hour.

Why SSL Certificates Expire

SSL certificates are intentionally designed to expire. This is not a flaw. It is a security feature.

Certificate Authorities (CAs) issue certificates with a limited validity period so that domain ownership and organizational details are periodically re-verified. If a certificate lasted forever, a domain could change hands, a company could close down, or an encryption algorithm could become outdated, and the certificate would still appear valid.

The current maximum validity period for publicly trusted SSL certificates is 398 days (approximately 13 months). Let's Encrypt certificates are valid for 90 days. The industry is steadily moving toward shorter lifespans. Both Apple and Google have advocated for 90-day maximums across all certificate authorities, and this is expected to become the standard in the near future.

Shorter certificate lifetimes mean that automated renewal is no longer optional. It is essential. A 90-day certificate that requires manual renewal four times a year is almost guaranteed to be forgotten eventually.

How to Check Your SSL Certificate Expiry Date

Use GuardHound's SSL Checker (fastest method)

Enter your domain in the GuardHound SSL Checker for an instant report that shows your certificate's expiry date, issuer, protocol version, and any configuration issues. No installation or technical knowledge required.

Browser method

Navigate to your website in Chrome (or any browser).
Click the padlock icon (or "Not secure" label) in the address bar.
Click Connection is secure (or Certificate in some browsers).
Look for the Valid to or Expires on date in the certificate details.

Command line method

If you have terminal access, you can check any domain's certificate expiry with OpenSSL:

echo | openssl s_client -servername yourdomain.com -connect yourdomain.com:443 2>/dev/null | openssl x509 -noout -dates

This outputs the notBefore and notAfter dates for the certificate. The notAfter value is your expiration date.

How to Renew Your SSL Certificate

The renewal process depends on how your certificate was issued. Here are the most common scenarios:

Let's Encrypt (free certificates)

If you use Let's Encrypt with Certbot, renewal is a single command:

sudo certbot renew

Certbot will check all certificates on the server and renew any that are within 30 days of expiry. After renewal, restart your web server to load the new certificate:

sudo systemctl reload nginx

sudo systemctl reload apache2

Hosting provider certificates

If your hosting provider manages your SSL (common with shared hosting), renewal usually happens through your hosting dashboard. Look for SSL/TLS settings in cPanel, Plesk, or your provider's custom panel. Many hosting providers offer one-click renewal or automatic renewal that just needs to be enabled.

Paid certificates (DigiCert, Sectigo, Comodo, GlobalSign)

Log in to your certificate provider's dashboard.
Generate a new Certificate Signing Request (CSR) from your server.
Submit the CSR and complete any required validation (domain, organization, or extended validation).
Download the new certificate files and install them on your server.
Restart your web server to apply the new certificate.

Common hosting platforms

Cloudflare: Free Universal SSL is managed automatically. If you use a custom certificate, upload the replacement in the SSL/TLS section of your dashboard.
AWS (ACM): Certificates issued through AWS Certificate Manager renew automatically as long as the domain's DNS is still pointed correctly.
Netlify / Vercel: SSL is managed automatically via Let's Encrypt. Renewal happens in the background with no action needed.
WordPress (cPanel): Look for the SSL/TLS Status page in cPanel, then click "Run AutoSSL" to force a renewal check.

How to Set Up Auto-Renewal

Setting up auto-renewal is the single most important thing you can do to prevent future SSL expiry issues. Here is how to do it with the most common tools:

Let's Encrypt + Certbot

Certbot installs a cron job or systemd timer automatically on most systems. You can verify it is active:

sudo systemctl status certbot.timer

If the timer is not enabled, you can add a cron job manually:

echo "0 3 * * * root certbot renew --quiet --deploy-hook 'systemctl reload nginx'" | sudo tee /etc/cron.d/certbot-renew

This runs the renewal check daily at 3:00 AM and automatically reloads your web server when a certificate is renewed.

Hosting provider auto-renewal

Most hosting providers offer an auto-renewal toggle in their SSL settings. Enable it. If your provider charges for SSL, make sure your payment method on file is current so the renewal is not blocked by a declined payment.

Why auto-renewal can still fail: An expired credit card on your hosting account, DNS records that were changed during a migration, a server that was replaced or reimaged, or a Certbot installation that was not carried over during a server update. Auto-renewal is reliable, but it is not a guarantee. Monitoring is the safety net.

How GuardHound Prevents SSL Surprises

Auto-renewal handles the expected case. GuardHound handles the unexpected one. Even well-configured auto-renewal can fail silently, and you may not find out until visitors start complaining or your traffic drops.

GuardHound monitors your SSL certificate continuously and sends you alerts at 30 days, 14 days, and 7 days before your certificate expires. If your auto-renewal worked, you never need to think about these alerts. If something went wrong, you get advance warning with enough time to fix it before a single visitor sees a browser warning.

Beyond expiry monitoring, GuardHound's tools help you stay on top of your entire domain security posture:

SSL Checker — Instant certificate inspection: expiry date, issuer, protocol version, certificate chain, and configuration issues.
Domain Health Check — A comprehensive scan that covers SSL, DNS, DMARC, SPF, and more in a single report.
Continuous Monitoring — Set up ongoing monitoring for your domains and get alerted the moment anything changes or needs attention.

Check your SSL certificate right now

Find out exactly when your certificate expires and whether your SSL configuration has any issues. Free, instant results.

Check SSL Certificate Full Domain Scan

Frequently Asked Questions

How long does it take to renew an SSL certificate?

For domain-validated (DV) certificates like Let's Encrypt, renewal is nearly instant and can be fully automated. The entire process takes less than a minute. Organization-validated (OV) and extended-validation (EV) certificates require the certificate authority to re-verify your organization's details, which typically takes one to five business days. If your certificate has already expired, a DV certificate can have your site back online in minutes.

Will an expired SSL certificate affect my Google rankings?

Yes. Google has used HTTPS as a ranking signal since 2014. When your certificate expires, your site effectively loses its HTTPS status. Browsers block access by default, which causes your bounce rate to spike. Both the direct loss of the HTTPS ranking signal and the sudden change in user engagement metrics can cause your search positions to drop. The longer the certificate remains expired, the greater the impact. Most sites recover their rankings within a few days of restoring a valid certificate, but the lost traffic during the outage is gone for good.

Can I get a free SSL certificate?

Yes. Let's Encrypt is a widely trusted, nonprofit certificate authority that issues free domain-validated (DV) SSL/TLS certificates. Many hosting providers also include free SSL through their partnership with Let's Encrypt or through services like Cloudflare. Free certificates provide the exact same level of encryption as paid ones. The main differences with paid certificates are validation level (OV/EV for organizational trust indicators) and warranty coverage, neither of which affect encryption strength.

What's the difference between SSL and TLS?

TLS (Transport Layer Security) is the modern successor to SSL (Secure Sockets Layer). The original SSL protocol was developed by Netscape in the 1990s and was deprecated in 2015 due to known security vulnerabilities. Every "SSL certificate" issued today actually uses the TLS protocol — specifically TLS 1.2 or TLS 1.3. The term "SSL" has simply stuck around as an industry shorthand. When you see "SSL certificate," "TLS certificate," or "SSL/TLS certificate," they all refer to the same thing in practice.

How often do SSL certificates need to be renewed?

It depends on your certificate type. Most commercial SSL certificates from providers like DigiCert or Sectigo are valid for up to 398 days (approximately 13 months). Let's Encrypt certificates are valid for 90 days. The industry trend is toward shorter validity periods — both Apple and Google have advocated for a 90-day maximum across all certificate authorities. This makes automated renewal increasingly important. With Let's Encrypt, Certbot handles renewal automatically. For paid certificates, set a calendar reminder at least 30 days before expiry, or use a monitoring tool like GuardHound to get automatic alerts.