What to do if…
your website suddenly shows a certificate or security warning and you did not change anything

What to do now

1. Reduce immediate harm to users (first 5–10 minutes).
   Temporarily disable sign-in, checkout, and any sensitive forms (maintenance page is fine). The goal is to prevent credential theft if this is interception or redirection.

2. Confirm the warning is for your exact domain (not a typo-squat).
   Compare the full domain in the browser warning to your official domain/subdomains. If it differs even slightly, treat it as phishing and stop.

3. Determine whether it’s widespread or local.
   Test from a second device and a different network (e.g., mobile hotspot).
   If it only happens on one device/network, suspect local HTTPS interception (proxy/antivirus), captive portals, or incorrect system time.

4. Check the fast common causes.

   • System time: confirm the device and your server time are correct.
   • Expiration: check the certificate expiration date shown in the browser details.
   • Hostname mismatch: confirm the certificate is issued for your domain (SAN/subject).

5. Verify what certificate the public sees (outside your own network).
   Use your hosting/CDN dashboard or a reputable external TLS test tool to verify:

   • the certificate’s domain names match your site
   • the issuer is expected
   • the chain is complete
     Record exactly what certificate is being served and the time observed.

6. Audit the control plane: DNS, CDN, hosting.

   • DNS provider: check recent changes and current A/AAAA/CNAME targets. Look for unexpected IPs or new records.
   • CDN/proxy settings: confirm proxy status and SSL/TLS mode; check whether “pause/disable proxy” exposed an origin-only certificate.
   • Hosting panel/web server config: confirm which certificate is bound to your site and whether a recent deploy/restart reverted configuration.

7. If it’s a configuration/expiry issue: restore a valid certificate deliberately.

   • Renew/reissue through your current CA or platform certificate manager.
   • Replace the wrong/expired certificate and remove obsolete selections where possible.
   • Re-test from a clean device/network and confirm browsers no longer warn.

8. If compromise is plausible, contain first, then fix. Signs include: unexplained DNS changes, new admin users, suspicious redirects, unknown API tokens, or certificates you didn’t request.
   Containment priorities:

   • secure DNS/CDN/hosting accounts (MFA, revoke unknown sessions, rotate passwords)
   • rotate infrastructure/API keys used to manage DNS/CDN/hosting
   • preserve logs (CDN/WAF logs, web server logs, auth/audit logs) before they roll over

9. If personal info might be exposed, use established US incident-response guidance.

   • Follow the FTC’s “Data Breach Response: A Guide for Business” steps for securing systems and deciding who to notify.
   • If you take card payments and suspect payment card data exposure, contact your payment processor/acquiring bank promptly and follow card-brand requirements (they may require a specific investigation process).

10. Use US reporting routes when appropriate.

• If you suspect a significant cyber incident, you can report it to CISA using their reporting channels.
• If you believe you’ve been the victim of cyber-enabled crime or fraud, file a report with the FBI’s Internet Crime Complaint Center (IC3). If anyone is in immediate danger, call 911.