The Padlock Disappeared. Now What?
One morning you check your website and the browser shows a full-page warning: "Your connection is not private." Visitors see error code NET::ERR_CERT_DATE_INVALID. The padlock icon is gone. Your site is not down exactly, but it might as well be. Nobody is clicking through that warning.
Your SSL certificate expired. And if you did not notice it yourself, your customers noticed it first.
SSL (technically TLS, but everyone still calls it SSL) certificates are the encryption layer that secures the connection between your website and your visitors. They are what put the "S" in HTTPS. When the certificate expires, the encryption is still technically possible, but browsers refuse to trust it. From the visitor's perspective, your site just became unsafe.
What Happens the Moment Your Certificate Expires
The consequences are immediate and compound quickly:
Browser Warnings Drive Away Visitors
Every major browser -- Chrome, Firefox, Safari, Edge -- displays a prominent security warning when encountering an expired certificate. Chrome shows "Your connection is not private" with a red triangle. Safari displays "This Connection Is Not Private" and hides the "proceed anyway" option behind an advanced settings menu most users will never find.
Research from HubSpot shows that 85% of users will immediately leave a website when they see a security warning. They do not read the details. They do not investigate whether it is a real threat. They hit the back button and go to your competitor.
Google Drops Your Rankings
Google has confirmed that HTTPS is a ranking signal. A valid SSL certificate is not just a security feature -- it is an SEO requirement. When your certificate expires, Google's crawler encounters the same warning your visitors do. Your pages may be demoted in search results within days.
Worse, if the expiration persists for more than a few days, Google may flag your entire domain with a "Not Secure" label in search results. Recovering from this takes weeks even after you fix the certificate, because Google needs to recrawl and reindex your pages.
Form Submissions and Payments Break
If your site processes contact forms, quote requests, or online payments, an expired certificate does not just warn visitors -- it actively blocks functionality. Modern browsers refuse to submit form data over an insecure connection. Payment processors like Stripe and Square require valid SSL as a baseline condition. Your checkout flow stops working entirely.
Why Certificates Expire in the First Place
SSL certificates have built-in expiration dates by design. This is a security feature, not a flaw. Certificate authorities (CAs) issue certificates with limited validity periods to ensure that:
- Compromised certificates do not last forever -- If a certificate's private key is stolen, the damage is limited to the remaining validity period.
- Domain ownership is re-verified -- The CA confirms you still own the domain each time you renew.
- Encryption standards stay current -- Newer certificates use stronger encryption algorithms. Forced renewal ensures the ecosystem moves forward.
Most commercial certificates are valid for one year. Let's Encrypt certificates are valid for 90 days. As of 2025, Apple's push toward 45-day certificate lifespans means expiration will only become a more frequent concern.
The Five Most Common Causes of Expiration
Almost every SSL expiration we see at Forge traces back to one of these root causes:
- Renewal email went to spam -- Your certificate provider sent a renewal reminder to an email address that routes to a spam folder, or to an inbox nobody checks. This is the single most common cause.
- Credit card on file expired -- Auto-renewal was set up, but the payment method failed silently. The CA attempted to charge a card that was replaced six months ago.
- DNS records changed -- You migrated hosting providers or updated nameservers, and the validation method for your certificate (DNS-based or HTTP-based) no longer works. The renewal process fails silently.
- The person who managed it left -- A contractor or former employee set up the certificate. Nobody else knows the login credentials for the CA account. The renewal notification goes to their old email.
- Manual renewal with no calendar reminder -- You purchased the certificate manually and forgot to set a reminder. Twelve months later, it expires on a Saturday night.
How to Check Your Certificate Right Now
You do not need technical expertise to check your SSL status. Here are three methods, from simplest to most detailed:
Browser Padlock
Visit your website in Chrome. Click the padlock (or "Not secure" label) in the address bar. Click "Connection is secure" and then "Certificate is valid." You will see the expiration date. If the certificate expires within 30 days, act now.
Command Line
For a more precise check, run this from a terminal:
openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -datesThis returns the exact start and end dates of your certificate. No browser required.
Forge Shield
Forge Shield checks your SSL certificate daily and alerts you 30 days before expiration. You do not need to remember to check. You do not need to rely on your CA's email notifications. You get a direct alert with clear instructions for renewal.
Setting Up Auto-Renewal So This Never Happens Again
The best fix for SSL expiration is removing the human from the process. Here are the auto-renewal options ranked by reliability:
- Let's Encrypt with Certbot -- Free certificates that auto-renew every 60 days (well before the 90-day expiration). Certbot handles the entire process. This is what we use for most Forge client sites. Zero cost, zero maintenance.
- Cloudflare Universal SSL -- If your site uses Cloudflare as a CDN or DNS provider, SSL is managed automatically at no additional cost. Certificates are issued, renewed, and deployed without any action on your part.
- GitHub Pages -- If your site is hosted on GitHub Pages with a custom domain, SSL is handled automatically through Let's Encrypt. No configuration needed beyond the initial setup.
- Managed hosting providers -- Platforms like Netlify, Vercel, and Firebase Hosting all include automatic SSL provisioning. If you are on one of these platforms, your certificate should never expire unless there is a DNS misconfiguration.
If you are on traditional shared hosting (GoDaddy, Bluehost, HostGator), auto-renewal is often available but not always enabled by default. Log in to your hosting control panel and verify that SSL auto-renewal is turned on. Then verify the payment method on file is current.
Do Not Wait for the Warning
An expired SSL certificate is one of the most preventable problems in web hosting. Yet it happens constantly because it is easy to forget about something that works silently in the background -- until it stops working.
The cost of prevention is trivial. The cost of an expired certificate is measurable: lost visitors, lost leads, lost search rankings, and lost trust.
Forge Shield monitors your SSL certificate status as part of its continuous security scanning. You get alerts 30 days before expiration, a clear dashboard showing certificate health across all your domains, and remediation guidance written in plain language.
Stop relying on email reminders from certificate authorities. Get Forge Shield and make SSL expiration a problem you never have to think about again.