It may be that the cert is valid in terms of Common Name (domain), but it can't be verified due to revocation, broken validation chain (lack of intermediate certs on new SHA-2 certs), expired or anything else preventing it to be fully valid. I'd bet for the intermediate certs which is the case...