I visit my website using Chrome on macOS Mojave, for example, qa.abc.com, and the SSL leaf certificate is from customer-test.ssl.fastly.net. I recently updated the CNAME record in my DNS for qa.abc.com so that it should point b3.shared.global.fastly.net. When I visit qa.abc.com, it resolves the SSL certificate at customer-test.ssl.fastly.net instead of b3.shared.global.fastly.net.
You would think clearing the cache might do the trick, but nope, whether it's Chrome's incognito mode or clearing its cache, still the same. Then I checked on both Safari, Firefox, and even tried to run the following command in my Terminal:
echo | openssl s_client -connect qa.abc.com:443
with the result being:
--- Certificate chain 0 s:/C=US/ST=California/L=San Francisco/O=Fastly, Inc./CN=customer-test.ssl.fastly.net i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign CloudSSL CA - SHA256 - G3 1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign CloudSSL CA - SHA256 - G3 i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
If I jump onto my brother's Windows 10 machine on the same wifi network, the website correctly pulls the SSL certificate from b3.shared.global.fastly.net. If I access the site via my iPhone 6, it's correctly pulling from b3.shared.global.fastly.net. If I browse on my MacBook via tethering on my iPhone 6, it still shows up as customer-test.ssl.fastly.net.
So, we know that:
I suspect that the mapping between a SSL certificate and a domain is cached somewhere at the operating system level.
Other things I've tried but did not work: