SSL Certificate Check
Inspect the SSL/TLS certificate for any hostname. Verify that the certificate is valid, check the expiry date, review which domains are covered by the certificate (SANs), and confirm the issuing Certificate Authority.
What Makes a Certificate Trustworthy?
A valid SSL/TLS certificate ensures your connection is encrypted and that you are talking to the right server. Here is what to look for: New to the topic? Start with our guide to what SSL/TLS is and our FAQ on what an SSL certificate is.
- Issued by a trusted CA - The certificate must be signed by a Certificate Authority that browsers recognize, such as Let's Encrypt, DigiCert, or Sectigo.
- Not expired - Certificates have a maximum validity of 398 days. An expired certificate triggers a browser warning and breaks encrypted connections.
- Hostname matches - The domain you visit must appear in the certificate's Common Name or Subject Alternative Names list.
- Complete certificate chain - Intermediate certificates must be served by the server so browsers can build a trust chain to the root CA.
- Modern protocol - TLS 1.2 or TLS 1.3 should be used. SSLv3 and TLS 1.0/1.1 are deprecated and insecure.
- No mixed content - All resources on a page served over HTTPS must also load over HTTPS, not HTTP.
- HSTS header present - The Strict-Transport-Security header instructs browsers to always use HTTPS for this domain.
Certificate Types
| Type | Validation Level | Best For |
|---|---|---|
| DV | Domain Validated | Blogs, personal sites, APIs - Verifies domain ownership only. |
| OV | Organization Validated | Business websites - Verifies company identity via document checks. |
| EV | Extended Validation | Banks, e-commerce - Strictest vetting with full legal identity verification. |
| Wildcard | Domain + all subdomains | Covers *.example.com - Useful for services with many subdomains. |
| SAN / UCC | Multiple domains | One certificate covering many distinct domain names. |
Frequently Asked Questions
How do I check if an SSL certificate is valid?
Enter the domain above - The tool connects to the server, retrieves the certificate, and verifies the essentials: that it has not expired, that the hostname matches the names on the certificate, that the chain links up to a trusted certificate authority, and which protocol versions are offered. In a browser, clicking the padlock icon shows the same certificate details.
Why is my SSL certificate showing as invalid?
The usual causes are an expired certificate, a hostname mismatch (the certificate covers www.example.com but not example.com), an incomplete chain where the server fails to send intermediate certificates, or a self-signed certificate that no browser trusts. On the visitor side, a wildly wrong system clock can also make perfectly valid certificates appear expired or not yet valid.
How often do SSL certificates need to be renewed?
Publicly trusted certificates have a maximum lifetime of 398 days, so every site must renew at least yearly. Much of the web now uses free 90-day certificates from Let's Encrypt, renewed automatically through the ACME protocol. Whichever you use, automate renewal - The single most common cause of SSL outages is a certificate that nobody remembered to renew.