**An expired TLS certificate doesn't just remove the padlock — browsers block the whole site with a full-page security warning.** This check looks at whether your certificate is valid, trusted, matches your domain, and isn't about to expire. Because certificates have a fixed lifespan and must be renewed, an unnoticed expiry can take your site offline for every visitor at once.
It checks the health of your site's TLS/SSL certificate beyond just having HTTPS. Specifically:
- Validity — the certificate is currently valid and issued by a trusted authority.
- Domain match — it's issued for the domain being served (not a mismatched or wildcard gap).
- Expiry window — how soon it expires, flagging certificates close to their end date so they can be renewed in time.
A valid certificate with comfortable time before expiry passes; one nearing expiry is a warning; an expired, untrusted or mismatched certificate is a fail.
GEObubbly inspects the certificate served on the live TLS connection, checking its validity, trust chain and expiry date. It's a core, scored Infrastructure check that runs server-side against the live connection.
Criteria: Pass — valid, >30 days to expiry. Warning — valid but <30 days, or chain issues. Fail — expired, self-signed, mismatched or untrusted.
This check goes a step beyond having HTTPS to the ongoing health of the certificate that makes HTTPS work. TLS certificates are issued for a fixed period and must be renewed before they expire — and an expired certificate is far worse than no padlock: modern browsers show a full-page security interstitial warning users the connection isn't private, which most people will not click past. In effect, an expired certificate takes your entire site offline for every visitor, and crawlers hitting the error will struggle to access your content too. The same hard failure happens if the certificate is untrusted (self-signed or from an unrecognised authority) or doesn't match the domain. These outages are usually self-inflicted and avoidable: certificates from providers like Let's Encrypt are typically auto-renewed, but renewal can silently break, so monitoring the expiry date is essential. For both SEO and GEO, availability is the prerequisite for everything — a site behind a certificate error can't be crawled, ranked or cited. Keeping the certificate valid and comfortably ahead of expiry protects uptime.
When a TLS certificate expires, browsers stop trusting the connection and display a full-page security warning — an interstitial telling the user the connection isn't private and advising them not to proceed. Unlike a missing padlock, this blocks access to the whole site: most visitors won't (and shouldn't) click past the warning, so the site is effectively offline for everyone. Crawlers hitting the certificate error also struggle to access your content. Because certificates have fixed lifespans, an expiry that isn't caught in time causes a sudden, total outage, which is why monitoring renewal is critical.
TLS certificates are issued for a fixed period and must be renewed before that period ends — maximum lifespans have been getting shorter over time as the industry moves toward more frequent renewal for security. Free automated certificates like Let's Encrypt typically have short lifespans and are designed to auto-renew well before expiry. The exact duration depends on your provider, but the operational point is the same regardless of length: every certificate expires, so you need a reliable renewal process and monitoring to ensure it's replaced in time rather than lapsing unnoticed.
Automate renewal and monitor it. Many providers, including Let's Encrypt, support automatic renewal so the certificate is replaced before it expires without manual intervention — but automation can silently fail, so don't rely on it blindly. Set up monitoring or alerts that warn you well ahead of the expiry date, giving you time to act if renewal breaks. Keep track of which certificates cover which domains and subdomains so none is forgotten. The combination of automated renewal plus independent expiry monitoring is what reliably prevents the sudden outage an expired certificate causes.
Several things. A certificate is invalid if it's issued by an authority the browser doesn't trust (such as a self-signed certificate or one from an unrecognised CA), if it doesn't match the domain being served (a name mismatch, or a wildcard that doesn't cover the subdomain), or if its trust chain is incomplete so the browser can't verify it. Any of these triggers a security warning much like expiry does. So beyond keeping the certificate current, it must be issued by a trusted authority, correctly cover the exact domain and subdomains you serve, and include the full chain.
Yes, fundamentally, because it affects availability. A site behind an expired, untrusted or mismatched certificate is blocked for users and problematic for crawlers, so it can't be reliably accessed, ranked or cited — and a certificate outage can cause a sudden drop in crawlability and rankings until it's fixed. AI crawlers, like search crawlers, need to reach your content over a valid secure connection. Keeping your certificate valid and ahead of expiry protects the uptime that all of SEO and GEO depends on; everything else is moot if the site is unreachable.