TLS / HTTPS · Check

SSL certificate invalid — name mismatch, broken chain, and how to fix

An invalid certificate is one that browsers refuse to trust — most often because the hostname doesn't match the certificate's CN/SAN, the chain is missing an intermediate, or the certificate was issued by a CA the browser no longer trusts. Until it's fixed, every visitor sees a full-page security warning.

Why it matters

Even a brief invalid-cert window trains users to click through warnings, which is exactly the muscle memory a real MITM attack relies on. Restoring trust is more about the chain (CDN edge cert + origin cert + intermediates) than the cert itself.

Real-world risk

Browsers block or warn on the connection; attackers can run a convincing MITM if users click through.

Fix steps (in order)

Re-issue a certificate that matches the public hostname (CN/SAN) and install the full chain.
If behind a CDN, align the edge certificate with the hostname customers use.

Topic explainer

TLS versions explained: 1.0, 1.1, 1.2, 1.3 and what to disable →

What's actually different between TLS 1.0, 1.1, 1.2, and 1.3 — cipher suites, forward secrecy, performance — and which versions to disable for compliance and security.

Verify the fix in 30 seconds

Run a Scorifya scan on the affected host after deploy. The same finding id (cert_invalid) clears once the externally-observable signal is in place.

Run a free scan Methodology