A test on my subdomain portal.peakdistrict.gov.uk (SSL Server Test: portal.peakdistrict.gov.uk (Powered by Qualys SSL Labs)) shows my valid certificate as expected, and is properly configured. However, it also lists a self signed cert that applies to a separate virtual host on the same server (which uses the same IP but is an internal-only site).
The server is Apache with virtual hosts sharing one IP. The certificates are defined in the virtual host containers, not in the default virtual host. HSTS is configured for the subdomain. All non-ssl requests are redirected by the virtual hosts. The host with the self-signed certificate does not have any reference to the peakdistrict.gov.uk domain name.
Any pointers about where to start looking into this? I've discovered this whilst investigating a problem with on older browsers (namely Safari <=6) having difficulty with the site.