SSL Certificate Check
Inspect the SSL/TLS certificate for any hostname. Verify that the certificate is valid, check the expiry date, review which domains are covered by the certificate (SANs), and confirm the issuing Certificate Authority.
What Makes a Certificate Trustworthy?
A valid SSL/TLS certificate ensures your connection is encrypted and that you are talking to the right server. Here is what to look for:
- Issued by a trusted CA - The certificate must be signed by a Certificate Authority that browsers recognize, such as Let's Encrypt, DigiCert, or Sectigo.
- Not expired - Certificates have a maximum validity of 398 days. An expired certificate triggers a browser warning and breaks encrypted connections.
- Hostname matches - The domain you visit must appear in the certificate's Common Name or Subject Alternative Names list.
- Complete certificate chain - Intermediate certificates must be served by the server so browsers can build a trust chain to the root CA.
- Modern protocol - TLS 1.2 or TLS 1.3 should be used. SSLv3 and TLS 1.0/1.1 are deprecated and insecure.
- No mixed content - All resources on a page served over HTTPS must also load over HTTPS, not HTTP.
- HSTS header present - The Strict-Transport-Security header instructs browsers to always use HTTPS for this domain.
Certificate Types
| Type | Validation Level | Best For |
|---|---|---|
| DV | Domain Validated | Blogs, personal sites, APIs - Verifies domain ownership only. |
| OV | Organization Validated | Business websites - Verifies company identity via document checks. |
| EV | Extended Validation | Banks, e-commerce - Strictest vetting with full legal identity verification. |
| Wildcard | Domain + all subdomains | Covers *.example.com - Useful for services with many subdomains. |
| SAN / UCC | Multiple domains | One certificate covering many distinct domain names. |