Defaults.Exposed › Reports
Expired, Self-Signed, Invalid: The Certificate Error Report (2026)
Published 2026-06-29
Figures as of 2026-06-29 · methodology v7. Aggregate census data across the 197 million domains presenting a TLS certificate. “Invalid” = the certificate fails validation (expired, self-signed, wrong hostname, or untrusted chain). See how we grade.
Having a certificate isn’t the same as having a valid one: 8.57% of certificates on the web fail validation. Across 197 million domains that present a TLS certificate, 16,920,535 have one browsers won’t trust — and every one of them shows visitors a full-page security warning instead of the site. In the age of free, auto-renewing certificates, a broken cert is almost always a fixable mistake, not a cost problem.
What’s actually wrong with these certificates
A certificate fails validation for a handful of reasons — expired, self-signed, issued for a different hostname, or from an untrusted chain. The single most identifiable category in the census is self-signed:
| Problem | Domains |
|---|---|
| Certificate present but invalid (any reason) | 16,920,535 (8.57%) |
| — of which self-signed | 3,378,080 (20.0% of the invalid) |
A self-signed certificate is one the domain issued to itself — it encrypts traffic but proves nothing, so browsers reject it. It’s common on devices, internal tools and staging setups that accidentally got exposed to the public internet. The remaining invalid certs are mostly expired or hostname-mismatched.
Why a broken certificate is worse than no HTTPS
A site with no HTTPS gets a quiet “Not Secure” label. A site with a broken certificate gets a full-page red interstitial — “Your connection is not private” — that most visitors will not click past. It’s the harshest trust signal a browser shows, and it fires before your content loads. For a business, that’s a closed door at the moment of first contact.
It’s also avoidable: with free CAs and automated renewal now issuing the large majority of certificates, a valid certificate costs nothing and renews itself. The 8.57% with broken certs are almost all configuration gaps, not budget ones.
How to fix a certificate error
- Expired? Automate renewal (ACME / Let’s Encrypt) so it never lapses again. Fix certificate errors.
- Self-signed? Replace it with a free CA-issued certificate — self-signed certs will always warn in browsers.
- Wrong hostname? Reissue covering the exact names you serve (including
www). - Verify the chain is complete and trusted, then confirm with a re-check.
Frequently asked questions
Why does a certificate become invalid? Most commonly it expired, is self-signed, was issued for a different hostname, or comes from an untrusted chain. As of 2026-06-29, 8.57% of certificates fail validation for one of these reasons.
What is a self-signed certificate? One the server issued to itself rather than getting from a trusted CA. It encrypts but proves no identity, so browsers reject it. 3,378,080 domains present one.
Is a broken certificate worse than no HTTPS? Yes — a broken cert triggers a full-page browser warning that blocks the site, whereas plain HTTP gets a milder inline “Not Secure” label.
How much does fixing it cost? Nothing. Valid certificates are free (Let’s Encrypt and others) and auto-renew. It’s a configuration fix.
Check your certificate is valid
A certificate that browsers reject is costing you visitors right now. Check yours free and private.
Check your domain → · Fix certificate errors → · Who issues the web’s certificates? → · Why does my site say “Not Secure”? → · Aggregate data only. Data stored and processed in the EU.