How to fix ssl cert invalid on Adobe Commerce (Magento)

Steps for Adobe Commerce (Magento)

1. Adobe Commerce (self-hosted or cloud) requires you to manage SSL certificates at the server or cloud infrastructure level.
2. For Adobe Commerce Cloud (PaaS): log in to the Cloud Console → select your project/environment → Domains. Add or update your custom domain and Adobe will provision a Let's Encrypt certificate via Fastly CDN automatically.
3. For self-hosted Magento on Apache: copy your new certificate (.crt), private key (.key), and CA bundle (.ca-bundle) to the server. Edit your Apache VirtualHost file (e.g. /etc/apache2/sites-available/yourstore.conf): set SSLCertificateFile, SSLCertificateKeyFile, and SSLCACertificateFile to the correct paths. Restart Apache: sudo systemctl restart apache2.
4. For self-hosted Magento on Nginx: update your server block with ssl_certificate and ssl_certificate_key pointing to the new files. Run: sudo nginx -t && sudo systemctl reload nginx.
5. In Magento Admin → Stores → Configuration → General → Web, ensure 'Base URL (Secure)' is set to https:// with your correct domain, and 'Use Secure URLs on Storefront' and 'Use Secure URLs in Admin' are both set to Yes.
6. Run bin/magento cache:flush after making Admin configuration changes.

What is ssl cert invalid?

Every website served over HTTPS needs an SSL/TLS certificate issued by a trusted Certificate Authority (CA). That certificate must list the exact domain name (or a wildcard that covers it) your visitors use to reach your store. A "hostname mismatch" error means the certificate installed on your server was issued for a *different* domain — for example, it covers `www.example.com` but your store is accessed at `example.com`, or the certificate belongs to a completely different domain altogether. Browsers check this match every time someone loads your site; if it fails, they show a full-screen warning and refuse to complete the connection.

A certificate hostname mismatch is one of the most damaging trust failures an online store can have. Browsers (Chrome, Firefox, Safari, Edge) display a red "Your connection is not private" warning that blocks visitors before they ever see your store — most users immediately leave and never return, costing you sales directly. Google treats HTTPS as a ranking signal and may demote or de-index pages that cannot be loaded securely, reducing your organic traffic. From a legal and compliance perspective, payment card industry (PCI-DSS) rules require that cardholder data be encrypted with a valid certificate; a mismatch means you are technically non-compliant and could face fines or lose the ability to accept cards. Under OWASP's A02:2021 Cryptographic Failures, an invalid certificate is classified as a critical security vulnerability because it leaves all data exchanged between your customers and your store potentially exposed to interception.

See the complete Ssl cert invalid guide for every platform and the full background.