HomeSecurity ToolsSSL Certificate Checker
Security Tool

SSL Certificate Checker

Verify SSL/TLS certificate validity, chain completeness, issuer, expiry, and TLS version for any domain. Diagnose common certificate errors instantly.

How to Use

Use SSL Certificate Checker in 4 Steps

01
Enter domain
Type the hostname to check (e.g. example.com or sub.example.com).
02
Run check
We connect on port 443 and retrieve the full certificate chain.
03
Review validity
Check issuer, expiry, SANs, and chain completeness.
04
Fix issues
Use the error guide below to resolve any warnings or failures.

What is an SSL/TLS Certificate?

An SSL/TLS certificate is a digital document issued by a trusted Certificate Authority (CA) that binds a cryptographic public key to a domain name. It enables HTTPS — the encrypted, authenticated connection between a browser and a web server. Despite the common term "SSL," all modern certificates use TLS (Transport Layer Security). SSL 2.0, 3.0 and TLS 1.0/1.1 are all deprecated.

When you visit an HTTPS site, your browser verifies that the certificate is valid, not expired, issued by a trusted CA, and matches the hostname. If any check fails, the browser shows a security warning that blocks most users.

SSL Certificate Types

Certificates are categorised by the level of identity verification the CA performed before issuing them.

TypeValidatesIssuance timeBest for
DV — Domain ValidatedDomain ownership onlyMinutesPersonal sites, blogs, APIs
OV — Organisation ValidatedDomain + legal entity1–3 daysBusiness websites, SaaS
EV — Extended ValidationDomain + extensive org verification1–5 daysBanks, e-commerce, enterprises
Wildcard (*.domain.com)Domain + all direct subdomainsMinutes–daysMulti-subdomain deployments
Multi-SAN / UCCMultiple specific domainsMinutes–daysMicrosoft Exchange, multi-domain hosting
Self-signedNothing (no CA)InstantInternal/dev only — never public-facing

Common SSL Certificate Errors and Fixes

These are the most frequent errors browsers and monitoring tools report, and how to resolve each one.

ErrorCauseFix
Certificate expiredCert past its notAfter dateRenew immediately. Set up automated renewal (e.g. Let's Encrypt + certbot).
Hostname mismatchURL domain not in cert's CN or SAN listReissue cert including correct hostname, or add www/apex as SAN.
Untrusted issuer / self-signedCA not in browser trust storeReplace with a cert from a public CA (Let's Encrypt, DigiCert, etc.).
Incomplete chainIntermediate cert(s) missing on serverConfigure server to send full chain bundle including intermediates.
Certificate revokedCA revoked cert (key compromise, mis-issue)Reissue new cert with fresh private key.
Weak signature algorithmSHA-1 or MD5 hashReissue with SHA-256 or better.
TLS 1.0/1.1 onlyServer does not support TLS 1.2+Update server config to enable TLS 1.2 and 1.3; disable old protocols.

TLS Protocol Version Comparison

ProtocolStatusBrowser supportNotes
SSL 2.0 / 3.0DeprecatedBlocked by all browsersPOODLE, DROWN vulnerabilities
TLS 1.0Deprecated (RFC 8996)Disabled by defaultBEAST attack; PCI DSS non-compliant
TLS 1.1Deprecated (RFC 8996)Disabled by defaultNo known critical exploits but no security maintenance
TLS 1.2Current standardUniversal supportMinimum required for PCI DSS, HIPAA
TLS 1.3RecommendedSupported by all modern clientsFaster handshake (1-RTT), removes weak ciphers, forward secrecy only

SSL Certificate Lifecycle and 90-Day Certificates

Certificate lifetimes have been progressively shortened. Let's Encrypt issues 90-day certificates since its launch. In 2025, major CAs and browser vendors agreed to reduce the maximum certificate lifetime to 90 days, pushing the industry toward automated renewal (ACME protocol, certbot, Caddy auto-TLS).

Shorter lifetimes reduce the window of exposure if a private key is compromised but increase the risk of expiry-caused outages if renewal is not automated. Set up monitoring and automated renewal before relying on short-lived certs.

How to Check SSL Certificates from the Command Line

These commands let you inspect certificate details directly without a browser:

# View certificate subject, issuer, and validity dates
openssl s_client -connect example.com:443 -servername example.com \
  < /dev/null 2>/dev/null | openssl x509 -noout -dates -subject -issuer

# Show the full certificate chain
openssl s_client -connect example.com:443 -servername example.com \
  -showcerts < /dev/null 2>/dev/null

# Check which TLS versions the server supports
nmap --script ssl-enum-ciphers -p 443 example.com

# Verify expiry date only
echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null \
  | openssl x509 -noout -enddate

# Test with a specific TLS version
openssl s_client -connect example.com:443 -tls1_3 -servername example.com

SSL and SEO

Google confirmed HTTPS as a ranking signal in 2014. Beyond rankings, an invalid or expired SSL certificate causes browsers to show blocking security warnings that prevent most users from reaching your site at all — a far larger traffic impact than any ranking factor. Expired certificates also fail Core Web Vitals fetches, removing pages from the CrUX dataset.

For sites migrating from HTTP to HTTPS: ensure 301 redirects are in place, update canonical tags, update your sitemap URLs, and submit the HTTPS property separately in Google Search Console.

Frequently Asked Questions

What is an SSL/TLS certificate?
An SSL/TLS certificate is a digital document issued by a Certificate Authority (CA) that proves a website's identity and enables encrypted HTTPS connections. It contains the domain name, certificate validity period, issuer name, and a public key. Despite the name "SSL," modern certificates use TLS (Transport Layer Security) — SSL is an outdated predecessor.
What is the difference between DV, OV, and EV certificates?
Domain Validation (DV) certificates verify only domain ownership — the cheapest and fastest to issue, used for most websites. Organisation Validation (OV) certificates verify the domain and the legal entity behind it. Extended Validation (EV) certificates require rigorous verification of the organisation and were historically shown with a green address bar, though most browsers no longer visually distinguish them.
Why is my SSL certificate showing as untrusted?
The most common causes are: (1) the certificate was issued by a CA not in your browser's trust store (e.g., a self-signed cert), (2) an intermediate certificate is missing from the chain, (3) the certificate has expired, or (4) the domain name on the cert does not match the URL you visited. This tool checks all of these conditions.
How often should I check my SSL certificate?
Check manually after any renewal, DNS change, or load balancer update. For automated monitoring, weekly checks are recommended for public-facing services. Certificate lifetimes have been reduced to 90 days by major CAs starting in 2025, so timely renewal alerts are critical.
What is a wildcard SSL certificate?
A wildcard certificate covers a domain and all its direct subdomains using a single certificate. For example, *.example.com covers www.example.com, mail.example.com, api.example.com, etc. It does not cover the root domain (example.com) or second-level subdomains (a.b.example.com) unless they are added as SANs.
What does "incomplete certificate chain" mean?
HTTPS requires a complete chain from your server certificate to a trusted root CA. Intermediate certificates link your cert to the root. If your server does not send the intermediate bundle, some clients (especially mobile apps and older browsers) cannot verify trust. Use this tool to detect missing intermediates.
How do I check my SSL certificate from the command line?
Use: openssl s_client -connect example.com:443 -servername example.com < /dev/null 2>/dev/null | openssl x509 -noout -dates -subject -issuer. This shows the subject, issuer, and validity dates. Add -showcerts to see the full chain.
What TLS versions should I support?
TLS 1.2 and TLS 1.3 are the current standards. TLS 1.0 and 1.1 are deprecated and disabled by most modern clients. TLS 1.3 is significantly faster (1-RTT handshake) and more secure. Disable TLS 1.0/1.1 on your server if you have not already.
Quick Reference
HTTPS port443
TLS versions1.2 / 1.3
Max cert life (2025)90 days
Min key size (RSA)2048-bit
Recommended hashSHA-256
Root CA programsMozilla, Apple, Microsoft
Test Hostnames
Valid certexample.com
Expired certexpired.badssl.com
Self-signedself-signed.badssl.com
Wrong hostwrong.host.badssl.com
Free Newsletter

Get guides like this by email

DNS, email auth, and security playbooks delivered when they publish. No spam.