Every once in a while, I encounter some variation of the following question: how can a TLS certificate go from perfectly acceptable one day to completely insecure the next? In other words, why does the browser show a scary full-page warning for a certificate that expired one day, or even one hour, ago – the same as a certificate that is self-signed, chains to an unknown root, or presents the wrong name? The premise behind these questions is that an expired certificate (especially one that i...
