How to Fix SEC_ERROR_EXPIRED_CERTIFICATE in Firefox and Chrome

SEC_ERROR_EXPIRED_CERTIFICATE is Firefox’s way of telling you that a certificate’s validity period has ended, either on the server you are connecting to or because your device’s clock is outside that validity window. Chrome reports the same condition as NET::ERR_CERT_DATE_INVALID. The error code is browser-specific; the underlying cause is identical.

Four distinct situations produce this error. Identifying which one applies in your case takes less than a minute and determines whether the fix is on your computer, in your antivirus software, or on the server you are trying to reach. Applying fixes blindly wastes time because two of the four causes require nothing from the visitor and two require nothing from the server owner.

Identify Your Situation First

The fastest diagnostic: check the expiry date Firefox shows on the error page. Firefox displays the exact date the certificate expired in the error details. If that date is today or recent, the server’s certificate is genuinely expired. If that date is in the future, your device clock is behind and showing a valid certificate as expired. If the expiry date shown in the error is far in the past (years ago), the certificate you are seeing may be an intermediate certificate, not the site certificate.

How Firefox and Chrome Display the Error

Firefox

Firefox shows a page headed Warning: Potential Security Risk Ahead. Below this appears the specific error code SEC_ERROR_EXPIRED_CERTIFICATE. The page includes a Learn More link and an Advanced button. Clicking Advanced shows the full error details including the exact expiry date of the certificate Firefox received. This date is the single most important diagnostic piece of information on the page.

Firefox provides an Accept the Risk and Continue option that allows a one-time bypass. This option is accessible via the Advanced button on the error page. Using it is appropriate for local development environments with self-signed or expired development certificates where you understand and accept the risk. It is not appropriate for any site where you are entering credentials or personal information, because an expired certificate means the connection’s authenticity cannot be verified.

Chrome

Chrome shows a Your connection is not private page with the error code NET::ERR_CERT_DATE_INVALID. An Advanced link reveals the technical details and a Proceed to site (unsafe) option. Chrome’s error page typically shows the certificate’s expiry date in the error details if you expand the Advanced section. The proceed option carries the same risks as Firefox’s equivalent.

The error codes differ between browsers but describe identical conditions. SEC_ERROR_EXPIRED_CERTIFICATE is from the NSS (Network Security Services) library that Firefox uses. NET::ERR_CERT_DATE_INVALID is Chrome’s Chromium network stack code. Both mean: the certificate’s Not After date is in the past relative to the time the browser checked it.

Fix 1: Correct Your Device Clock (Visitor-Side)

An incorrect device clock is the single most common client-side cause of this error. SSL certificates have a validity period defined by Not Before and Not After dates. Both Firefox and Chrome validate the certificate against the device’s current clock. A clock that is days, months, or years behind will cause every certificate it sees to appear expired, even currently valid ones.

Two additional Firefox-specific error codes point directly to a clock problem: SEC_ERROR_OCSP_FUTURE_RESPONSE means an OCSP response from the CA has a timestamp in the future relative to your clock, and SEC_ERROR_OCSP_OLD_RESPONSE means an OCSP response appears too old. Both indicate the clock is wrong.

Windows

1. Right-click the clock in the taskbar and select Adjust date and time
2. Ensure Set time automatically is switched on
3. Ensure Set time zone automatically is also on, or manually select the correct time zone
4. Click Sync now under Synchronize your clock if the option is visible
5. Close the settings and reload the failing page

macOS

6. Open System Settings and click General, then Date and Time
7. Ensure Set time and date automatically is checked
8. If the option is greyed out, click the lock icon and authenticate first
9. Confirm the displayed time matches a reliable time source (time.is or worldtimeserver.com)

Linux

After correcting the clock, restart the browser and reload the page. If the error clears, the clock was the cause. If the error persists and the clock is now correct, the issue is the server’s certificate.

When the Certificate Has Genuinely Expired (Server-Side)

If your clock is correct and the error appears on one specific site, the server’s SSL certificate is expired. There is no client-side fix for this. The site owner must renew the certificate and redeploy it. As a visitor, your options are: wait for the site owner to fix it, contact the site owner or their support team to report the problem, or use the browser’s bypass option if you accept the security risks and trust the site.

To confirm the certificate is genuinely expired rather than the clock being wrong, note the expiry date shown in the Firefox error details. If that date matches today’s date or is in the recent past, the certificate has expired. If the date shown is far in the future, your clock is the problem.

Do not enter passwords, payment information, or any personal data on a site showing an expired certificate warning. An expired certificate means the browser cannot currently verify that the server is who it claims to be. While in most cases the site is legitimate and simply missed its renewal, there is no cryptographic way to confirm this until the certificate is renewed.

Fix 2: Check Antivirus HTTPS Inspection (Visitor-Side)

Antivirus products from Kaspersky, Avast, AVG, ESET, and Bitdefender intercept HTTPS connections to inspect them for malware. They replace the server’s certificate with their own. If the antivirus product’s certificate has expired, or if its certificate interception is producing an incorrect date in the certificate it presents to Firefox, the browser shows SEC_ERROR_EXPIRED_CERTIFICATE for connections intercepted by the antivirus even when the actual server’s certificate is valid.

The clearest indicator that antivirus is the cause: open the Firefox error page, click Advanced, and note the Issuer field of the certificate. If it names your antivirus product (Kaspersky Anti-Virus Personal Root, AVAST Web/Mail Shield Root, or similar) rather than a known public CA, the antivirus is intercepting the connection and its certificate is the problem.

Fixes for each product:

• Kaspersky: Open Kaspersky settings, go to Additional, then Network, then Encrypted connections scanning. Select Do not scan encrypted connections, or update the antivirus to ensure its root certificate is current.
• Avast and AVG: Open the dashboard, go to Menu, Settings, Protection, Core Shields, Web Shield, and disable Enable HTTPS scanning.
• ESET: Open ESET, go to Setup, Internet Protection, Web Access Protection, and disable HTTPS filtering.
• Bitdefender: Open Bitdefender, go to Protection, Online Threat Prevention, and turn off Encrypted Web Scan.

After disabling HTTPS scanning, reload the page. If the error clears, the antivirus was the cause. You can re-enable HTTPS scanning and add the specific site to the antivirus URL exclusions list to avoid the error on that site without disabling scanning globally. Most antivirus products also have an option to update their root certificate; running a full product update often resolves the issue without permanently disabling scanning.

SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE: A Different but Related Error

Firefox sometimes shows SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE rather than SEC_ERROR_EXPIRED_CERTIFICATE. These look similar but identify different problems. SEC_ERROR_EXPIRED_CERTIFICATE means the site’s own certificate is expired. SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE means a certificate higher in the chain, typically an intermediate CA certificate, has expired.

Certificate chains consist of three levels: the site’s leaf certificate, one or more intermediate CA certificates, and the root CA certificate. All three must be valid. If the intermediate certificate used to sign the site’s certificate has expired, every site that uses that intermediate will show this error even if the site’s own certificate is current.

This error is almost always server-side. The server is presenting an intermediate certificate that has expired. For visitors, there is little to do except report the error to the site owner. For site owners, the fix is downloading the current intermediate certificate from the CA’s website and updating the certificate bundle on the server to include the new intermediate.

Site owners seeing SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE should check their CA’s certificate repository for updated intermediate certificates. CAs periodically update intermediates and provide download links in their documentation. After downloading the new intermediate, update the ssl_certificate file in Nginx or SSLCertificateFile in Apache to contain the site certificate followed by the new intermediate, then reload the web server. Verify the fix with the SSL Labs test at ssllabs.com/ssltest.

Fix 3: Corporate Network Proxy or VPN (Visitor-Side)

Corporate networks and some VPN configurations route HTTPS traffic through SSL inspection appliances that decrypt and re-encrypt traffic. These appliances present their own certificate to the browser rather than the actual server’s certificate. If the appliance’s certificate has expired, or if the appliance is misconfigured and presenting an expired certificate to Firefox, the browser shows SEC_ERROR_EXPIRED_CERTIFICATE.

The sign: the error appears only when connected to the corporate network or VPN, and disappears when you disconnect and connect through a different network. The Issuer field in the Firefox error details shows an internal certificate authority name rather than a public CA.

The fix is in the network infrastructure rather than on your device. Contact your IT department and report the specific error code and the site you were trying to reach. The SSL inspection appliance’s certificate needs to be updated. As a temporary workaround, disconnecting from the corporate VPN and accessing the site through a direct connection may allow access, if the target site’s actual certificate is valid.

Fix 4: Clear Browser Cache and SSL State

In rare cases, a cached certificate record in the browser can persist after a certificate has been renewed, causing the browser to present the old expired certificate from cache rather than fetching the current one from the server. Clearing the browser cache and SSL state resolves this.

Firefox cache clear

10. Open the Firefox menu (three horizontal lines), select Settings
11. Go to Privacy and Security
12. Under Cookies and Site Data, click Clear Data
13. Ensure both Cookies and Site Data and Cached Web Content are checked
14. Click Clear and restart Firefox

Chrome cache clear

15. Press Ctrl + Shift + Delete in Chrome
16. Set the Time range to All time
17. Check Cookies and other site data and Cached images and files
18. Click Clear data and restart Chrome

Windows SSL state (affects both Chrome and some Firefox configurations)

Windows maintains an SSL state cache that both Chrome and some Firefox configurations read. Clearing it removes any cached certificate data that might be contributing to the error.

19. Press Win+R, type inetcpl.cpl, press Enter
20. Click the Content tab
21. Click Clear SSL state
22. Click OK and restart the browser

For Site Owners: Preventing and Fixing Expired Certificates

If visitors are reporting SEC_ERROR_EXPIRED_CERTIFICATE on your site and your clock is correct, your certificate has expired. The priority is renewing and redeploying it as quickly as possible.

Verify the expiry and renew

Check the exact expiry date by opening your site in a browser and viewing the certificate (padlock or Not Secure indicator, then view certificate details). Or use the command line:

The 200-day validity limit and what it means for renewals

The CA/B Forum’s Ballot SC-081v3 (approved April 2025) reduced maximum certificate validity to 200 days from March 15, 2026. Prior to this, certificates lasted up to 398 days. Shorter validity periods mean certificates expire nearly twice as often, which doubles the frequency at which missed renewals can affect visitors. Organizations that were renewing certificates annually now need to renew approximately every six months, or set up automated renewal.

Let’s Encrypt certificates expire every 90 days but renew automatically when Certbot or another ACME client is properly configured. Commercial CA certificates can also be renewed via ACME endpoints that most major CAs now support. Setting up automated renewal eliminates the category of expired certificate incidents entirely.

Monitoring before the error reaches visitors

External monitoring that checks the actually-served certificate’s expiry date is more reliable than internal file-based monitoring, because it catches the scenario where a certificate file was renewed but not deployed. Tools including UptimeRobot SSL monitoring, StatusCake, and the SSL Labs API can send alerts at configurable thresholds before expiry. Setting alerts at 30 days, 14 days, and 7 days provides multiple opportunities to act before the certificate expires.

Frequently Asked Questions

What does SEC_ERROR_EXPIRED_CERTIFICATE mean?

SEC_ERROR_EXPIRED_CERTIFICATE is Firefox’s error code for a certificate whose Not After date has passed, meaning its validity period has ended. Firefox cannot verify the server’s identity because the certificate that was supposed to prove it is no longer valid. Chrome shows the same condition as NET::ERR_CERT_DATE_INVALID. The error can be caused by a genuinely expired server certificate, a device clock set to a date outside the certificate’s validity window, an antivirus product intercepting HTTPS traffic with an expired certificate, or a corporate network proxy presenting an expired certificate.

Is it safe to click ‘Accept the Risk’ on this error?

It depends entirely on the site and the context. For a local development server with a self-signed certificate you generated yourself, accepting the risk is fine. For any public website, especially one where you would enter a password, payment information, or personal details, do not proceed. An expired certificate means the connection’s authentication cannot be verified. While the site is usually legitimate and has simply missed its renewal, you cannot know this with certainty until the certificate is renewed. The encryption of data in transit may still be functional, but the identity verification is not.

The error appears only on one site. Is my clock wrong or is their certificate expired?

Check the expiry date shown in the Firefox error details. Click Advanced on the error page and look for the certificate expiry date. If that date is today or in the recent past and your system clock shows approximately today’s actual date, the server’s certificate has genuinely expired and there is nothing to fix on your device. If the expiry date shown appears to be far in the future, your clock is ahead of the certificate’s Not After date, which is an unusual but possible clock configuration.

What is SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE and how is it different?

SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE means an intermediate CA certificate in the certificate chain has expired, rather than the site’s own certificate. The server is presenting an outdated intermediate certificate that has passed its validity date. This is a server configuration problem: the server owner needs to obtain the updated intermediate certificate from their CA and update their certificate bundle. As a visitor, this error is not fixable on your end. The site owner needs to address it.

I fixed my clock and the error is gone. Why did my clock drift?

Device clocks drift for several reasons. Battery-powered real-time clocks on hardware that has been powered off for a long time can lose time, particularly if the CMOS battery is weak or depleted. Virtual machines and cloud instances sometimes have clock synchronization issues. Devices that have not connected to the internet for an extended period may not have synchronized with an NTP server. Enabling automatic time synchronization (which uses NTP to keep the clock accurate) prevents clock drift from causing certificate errors.

Can clearing Firefox’s certificate cache fix this error?

Rarely, but in some cases a cached expired certificate will persist after the server renews, causing Firefox to show the error for a site that actually has a valid certificate now. To clear Firefox’s certificate database, you can delete or rename the cert9.db file in the Firefox profile folder while Firefox is closed. On Windows this is at AppData, Roaming, Mozilla, Firefox, Profiles, your-profile-folder. On Mac it is in Library, Application Support, Firefox, Profiles. Restart Firefox and it will rebuild the certificate database on the next connection. This is a last resort; most certificate caching issues resolve by simply clearing the browser cache through the settings menu.