SSL Certificate Checker
Verify SSL/TLS certificate validity, chain completeness, issuer, expiry, and TLS version for any domain. Diagnose common certificate errors instantly.
Use SSL Certificate Checker in 4 Steps
What is an SSL/TLS Certificate?
An SSL/TLS certificate is a digital document issued by a trusted Certificate Authority (CA) that binds a cryptographic public key to a domain name. It enables HTTPS — the encrypted, authenticated connection between a browser and a web server. Despite the common term "SSL," all modern certificates use TLS (Transport Layer Security). SSL 2.0, 3.0 and TLS 1.0/1.1 are all deprecated.
When you visit an HTTPS site, your browser verifies that the certificate is valid, not expired, issued by a trusted CA, and matches the hostname. If any check fails, the browser shows a security warning that blocks most users.
SSL Certificate Types
Certificates are categorised by the level of identity verification the CA performed before issuing them.
| Type | Validates | Issuance time | Best for |
|---|---|---|---|
| DV — Domain Validated | Domain ownership only | Minutes | Personal sites, blogs, APIs |
| OV — Organisation Validated | Domain + legal entity | 1–3 days | Business websites, SaaS |
| EV — Extended Validation | Domain + extensive org verification | 1–5 days | Banks, e-commerce, enterprises |
| Wildcard (*.domain.com) | Domain + all direct subdomains | Minutes–days | Multi-subdomain deployments |
| Multi-SAN / UCC | Multiple specific domains | Minutes–days | Microsoft Exchange, multi-domain hosting |
| Self-signed | Nothing (no CA) | Instant | Internal/dev only — never public-facing |
Common SSL Certificate Errors and Fixes
These are the most frequent errors browsers and monitoring tools report, and how to resolve each one.
| Error | Cause | Fix |
|---|---|---|
| Certificate expired | Cert past its notAfter date | Renew immediately. Set up automated renewal (e.g. Let's Encrypt + certbot). |
| Hostname mismatch | URL domain not in cert's CN or SAN list | Reissue cert including correct hostname, or add www/apex as SAN. |
| Untrusted issuer / self-signed | CA not in browser trust store | Replace with a cert from a public CA (Let's Encrypt, DigiCert, etc.). |
| Incomplete chain | Intermediate cert(s) missing on server | Configure server to send full chain bundle including intermediates. |
| Certificate revoked | CA revoked cert (key compromise, mis-issue) | Reissue new cert with fresh private key. |
| Weak signature algorithm | SHA-1 or MD5 hash | Reissue with SHA-256 or better. |
| TLS 1.0/1.1 only | Server does not support TLS 1.2+ | Update server config to enable TLS 1.2 and 1.3; disable old protocols. |
TLS Protocol Version Comparison
| Protocol | Status | Browser support | Notes |
|---|---|---|---|
| SSL 2.0 / 3.0 | Deprecated | Blocked by all browsers | POODLE, DROWN vulnerabilities |
| TLS 1.0 | Deprecated (RFC 8996) | Disabled by default | BEAST attack; PCI DSS non-compliant |
| TLS 1.1 | Deprecated (RFC 8996) | Disabled by default | No known critical exploits but no security maintenance |
| TLS 1.2 | Current standard | Universal support | Minimum required for PCI DSS, HIPAA |
| TLS 1.3 | Recommended | Supported by all modern clients | Faster handshake (1-RTT), removes weak ciphers, forward secrecy only |
SSL Certificate Lifecycle and 90-Day Certificates
Certificate lifetimes have been progressively shortened. Let's Encrypt issues 90-day certificates since its launch. In 2025, major CAs and browser vendors agreed to reduce the maximum certificate lifetime to 90 days, pushing the industry toward automated renewal (ACME protocol, certbot, Caddy auto-TLS).
Shorter lifetimes reduce the window of exposure if a private key is compromised but increase the risk of expiry-caused outages if renewal is not automated. Set up monitoring and automated renewal before relying on short-lived certs.
How to Check SSL Certificates from the Command Line
These commands let you inspect certificate details directly without a browser:
# View certificate subject, issuer, and validity dates
openssl s_client -connect example.com:443 -servername example.com \
< /dev/null 2>/dev/null | openssl x509 -noout -dates -subject -issuer
# Show the full certificate chain
openssl s_client -connect example.com:443 -servername example.com \
-showcerts < /dev/null 2>/dev/null
# Check which TLS versions the server supports
nmap --script ssl-enum-ciphers -p 443 example.com
# Verify expiry date only
echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null \
| openssl x509 -noout -enddate
# Test with a specific TLS version
openssl s_client -connect example.com:443 -tls1_3 -servername example.comSSL and SEO
Google confirmed HTTPS as a ranking signal in 2014. Beyond rankings, an invalid or expired SSL certificate causes browsers to show blocking security warnings that prevent most users from reaching your site at all — a far larger traffic impact than any ranking factor. Expired certificates also fail Core Web Vitals fetches, removing pages from the CrUX dataset.
For sites migrating from HTTP to HTTPS: ensure 301 redirects are in place, update canonical tags, update your sitemap URLs, and submit the HTTPS property separately in Google Search Console.
Frequently Asked Questions
Related Tools
Get guides like this by email
DNS, email auth, and security playbooks delivered when they publish. No spam.