Wildcard certificate renewed but old cert still served

Scenario

A valid replacement certificate exists, yet clients still receive the expired or previous wildcard certificate.

Recommended Resolution Path

1. Check whether the service, reverse proxy, or load balancer is actually bound to the new certificate.
2. Inspect SNI bindings and any secondary listener that may still use the old cert.
3. Restart or reload the affected service only after confirming the correct certificate is installed.
4. Verify from multiple clients so cached intermediate or local trust issues do not mislead you.

Technician Notes

Document what changed, what confirmed the fix, and whether the issue points to a broader standards gap worth addressing for the client.