What actually happens when your SSL expires

Day 1: Immediate effects

  • Chrome, Firefox, and Safari all show a full-page red warning to every visitor
  • Your website's padlock turns into a red "Not Secure" warning
  • E-commerce checkout processes are blocked by browser security policies
  • Contact forms may stop submitting over HTTPS

Days 1–7: Short-term effects

  • Organic traffic drops as users bounce from the warning page
  • Google Search Console flags the site
  • Google's search ranking algorithm penalises the site

Week 2+: Longer-term effects

  • Customer trust is damaged — visitors who saw the warning may not return
  • Email deliverability can be affected if your mail server shares the domain
  • If left unresolved, Google may begin blacklisting the domain

"We see it every week. A business owner wonders why their traffic has crashed, calls their web developer, and discovers the SSL certificate expired three days ago. The fix takes five minutes. The traffic recovery takes two weeks."

— BBC Technology, Small Business Digital Health, January 2026

The compounding problem: TLS versions

It is not just about whether your certificate is valid. It is about which version of TLS (Transport Layer Security) your server supports. TLS 1.0 and 1.1 were officially deprecated in 2021. Running them is not just outdated — it is a security vulnerability.

In our analysis of 2,400+ UK website audits, 23% were still serving TLS 1.1 alongside TLS 1.2. The newer version was available. The old one had simply never been disabled.

Check your SSL right now

Go to ssllabs.com/ssltest and run a free check on your domain. Anything below a B grade is a problem. A grade F means visitors are seeing browser warnings.

HSTS: the fix that makes SSL stickier

Even with a valid SSL certificate and HTTPS redirects, a user who types your domain without https:// will initially connect over plain HTTP before being redirected. That first request is unencrypted — and in a coffee shop on public Wi-Fi, it can be intercepted.

HSTS (HTTP Strict Transport Security) solves this. It is a single header you add to your server configuration that tells browsers: "Always use HTTPS for this domain, no exceptions." It costs nothing to implement. It takes 15 minutes. It is missing from the majority of UK small business websites we audit.

Mixed content: the hidden SSL failure

You have a valid SSL certificate. Your site loads over HTTPS. But somewhere in your site's code, there is an image, a script, or a stylesheet that loads over plain HTTP. That is mixed content — and browsers treat it as a security violation.

In our audits, mixed content issues are found on one in five UK small business websites. Almost always it is a legacy asset — an old image URL, an embedded video from 2018, a third-party widget integrated before the site moved to HTTPS.

6 days How close one ProtectPatch customer came to SSL expiry before discovering it — which would have killed their Google rankings during peak season

The five-minute SSL health checklist

Do this right now

  1. Check your certificate expiry date: browser address bar → click the padlock → Certificate → Expiry date
  2. Enable auto-renewal in your hosting control panel (all major providers offer this)
  3. Run an SSL Labs test: ssllabs.com/ssltest — you want an A or A+ grade
  4. Check for mixed content: browser developer tools (F12) → Console tab → look for "mixed content" warnings
  5. Add an HSTS header to your server configuration or Cloudflare settings

Key takeaways

  • Expired SSL shows a full-screen browser warning to every visitor — and kills conversions instantly
  • TLS 1.0 and 1.1 are deprecated and insecure — 23% of UK sites we audit still run them
  • HSTS prevents downgrade attacks at zero cost
  • Mixed content breaks pages even with a valid certificate
  • Auto-renewal takes 10 minutes to set up and costs nothing