Website SSL Certificate Failed
Why This Rejection Happens
The carrier's automated verification bot could not establish a secure connection to your brand's website. The website is either missing an SSL certificate (serving over HTTP instead of HTTPS) or the certificate is invalid, expired, or self-signed.
Common Triggers: Expired SSL certificate, "Not Secure" browser warning, mixed content errors, or incorrectly configured DNS causing certificate mismatches.
Root Cause Analysis
Primary Triggers
- Expired Certificate: The SSL certificate has passed its validity date, causing browsers and bots to block access.
- Self-Signed Certificate: Using a developer or "self-signed" certificate that is not trusted by public certificate authorities (common on dev/staging sites).
- No HTTPS Redirect: The website loads on `http://` but does not automatically redirect visitors to `https://`, leaving the insecure version accessible.
- Name Mismatch: The certificate covers `example.com` but the link submitted was `www.example.com` (or vice versa) and the certificate does not cover subdomains.
Required Elements
| Element | Requirement | Rationale |
|---|---|---|
| Valid SSL | Active, Trusted Cert | Carriers require encrypted connections to verify legitimate businesses and protect user data. |
| Protocol | HTTPS (Port 443) | HTTP (Port 80) is considered insecure and unprofessional for a registered brand. |
| Accessibility | No Browser Warnings | If a Chrome user sees "Your connection is not private," the vetting bot sees the same error and rejects the application. |
Step-by-Step Remediation
Install or Renew SSL Certificate
Contact your hosting provider (GoDaddy, Bluehost, AWS, etc.) to install a valid SSL certificate. Many hosts offer free Let's Encrypt certificates.
✓ Compliant URL
https://www.yourbrand.com(Padlock icon visible, no warnings)
✗ Non-Compliant URL
http://www.yourbrand.com(Labeled "Not Secure" in browser bar)
Force HTTPS Redirection
Ensure that anyone typing your domain is automatically sent to the secure version. This usually requires a rule in your `.htaccess` file or hosting settings.
✓ .htaccess Redirect Rule
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]Verify Certificate Chain
Use an external tool to check for "Intermediate Certificate" errors. Sometimes your browser trusts the site because you have the cert cached, but a fresh visitor (like the carrier bot) will see an error.
Carrier-Specific Requirements
T-Mobile & AT&T
- Strictly require HTTPS for all brand websites.
- Will reject applications if the submitted URL triggers a browser security warning (interstitial page).
Privacy & Data
- If your website collects opt-ins (phone numbers), SSL is legally required to protect that personal data during transmission.
MyTCRPlus Tools That Can Help
Website Validator
Scans your URL for SSL validity, chain issues, and HTTP-to-HTTPS redirection compliance.
Use This Tool →Brand Registration Helper
Ensures the URL you submit matches the domain on your SSL certificate to avoid name mismatch errors.
Use This Tool →Pre-Resubmission Checklist
- The website loads with `https://` prefix.
- The browser displays a locked padlock icon next to the URL.
- The SSL certificate has not expired.
- The certificate "Common Name" (CN) matches the website domain.
- HTTP traffic automatically redirects to HTTPS.
Common Mistakes to Avoid
❌ Ignoring "Mixed Content"
Even with an SSL cert, if your page loads images or scripts over HTTP, the lock icon will disappear. Ensure all assets (images, CSS, JS) are loaded via HTTPS.
❌ Typo in Submitted URL
Sometimes the SSL is fine, but you submitted `http://brand.com` instead of `https://brand.com` in the TCR portal. Always submit the full secure URL.
Expected Timeline
This guidance provides general information about 10DLC compliance requirements and does not constitute legal advice. Security standards like SSL are baseline requirements for legitimate business verification. Organizations should ensure their web infrastructure adheres to modern security best practices. MyTCRPlus does not provide legal advisory services or regulatory representation.