SSL/TLS Certificate Checker
Inspect HTTPS certificates, verify expiry dates, validate certificate chains, and check HSTS configuration — the SSL checker built for IT admins, MSPs, and security professionals.
What is an SSL/TLS certificate?
An SSL/TLS certificate is a digital credential that enables encrypted communication between a web server and a browser. Despite the name, modern implementations use TLS (Transport Layer Security) — SSL was the predecessor protocol and was deprecated in 2015. The terms are often used interchangeably in everyday conversation, though technically all modern "SSL" connections use TLS.
When a browser connects to a website over HTTPS, the server presents its certificate to prove its identity. The browser verifies the certificate against a list of trusted Certificate Authorities (CAs) built into the operating system or browser. If the certificate is valid, trusted, and matches the hostname, the connection is encrypted and the padlock icon appears.
For MSPs: Certificate expiry is one of the most preventable causes of website downtime and client embarrassment. A single expired certificate can take a business offline across every browser — with no graceful degradation. Monthly certificate audits are standard practice for any MSP managing client infrastructure.
SSL vs TLS — what is the difference?
SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are both cryptographic protocols that secure communications over a network. SSL was the original protocol, developed by Netscape in the 1990s. TLS is the successor, with TLS 1.0 released in 1999.
| Version | Year | Status | Notes |
|---|---|---|---|
| SSL 2.0 | 1995 | Prohibited | Fundamentally broken, must not be used |
| SSL 3.0 | 1996 | Prohibited | POODLE attack (2014) killed it |
| TLS 1.0 | 1999 | Deprecated | BEAST attack, disabled by browsers since 2020 |
| TLS 1.1 | 2006 | Deprecated | Removed from major browsers in 2020 |
| TLS 1.2 | 2008 | Supported | Still widely used, secure when configured correctly |
| TLS 1.3 | 2018 | Current | Faster, more secure, removes legacy algorithms |
Servers should be configured to support TLS 1.2 at minimum, with TLS 1.3 preferred. TLS 1.0 and 1.1 should be explicitly disabled — they are required to be disabled to pass PCI DSS compliance and are unsupported by all major browsers.
Certificate Authorities and the trust chain
A Certificate Authority (CA) is an organization that issues digital certificates and is trusted by browsers and operating systems. The trust model works as a hierarchy: root CAs (whose certificates are pre-installed in browsers) delegate trust to intermediate CAs, which issue leaf certificates to websites.
Major Certificate Authorities
- Let's Encrypt — Free, automated 90-day DV certificates. Used by over 300 million domains. Ideal for most websites.
- DigiCert — Enterprise CA offering DV, OV, and EV certificates with strong support.
- Sectigo (formerly Comodo) — High-volume CA with affordable OV and EV options.
- GlobalSign — Widely used in enterprise environments and IoT.
- Cloudflare — Managed certificates through Cloudflare's CDN, automatically renewed.
- AWS Certificate Manager — Free managed certificates for AWS resources.
Certificate types explained
- DV (Domain Validated) — Verifies control of the domain only. Issued in minutes. Let's Encrypt is DV. Browser padlock appears but no organization name in the cert.
- OV (Organization Validated) — Verifies the organization's legal existence. Organization name appears in the certificate details. Takes 1–3 days.
- EV (Extended Validation) — Most rigorous vetting, including physical address and legal verification. Historically showed a green bar in browsers (no longer displayed by most).
- Wildcard — Covers all subdomains at one level (*.example.com covers sub.example.com but not a.b.example.com).
- SAN/Multi-domain — Covers multiple hostnames in a single certificate via Subject Alternative Names.
What is HSTS and why does it matter?
HSTS (HTTP Strict Transport Security) is a web security policy that instructs browsers to only communicate
with your site over HTTPS — never plain HTTP. Once a browser receives the HSTS header, it enforces HTTPS
for the duration of the max-age
value, even if the user types http://
or clicks an HTTP link.
Without HSTS, a man-in-the-middle attacker could intercept the initial HTTP request and downgrade the connection to plain HTTP before the HTTPS redirect — known as an SSL stripping attack. HSTS eliminates this window of vulnerability.
HSTS directives
- max-age — How long (in seconds) the browser should enforce HTTPS. Minimum recommended: 6 months (15552000). Ideal: 1 year (31536000).
- includeSubDomains — Extends HSTS protection to all subdomains. Required for HSTS preloading.
- preload — Requests inclusion in browsers' built-in HSTS preload list. Browsers never make an HTTP request to your domain, even the first time.
HSTS best practice configuration
Recommended HSTS header:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Before adding preload, ensure
all subdomains serve HTTPS. Visit hstspreload.org to submit your domain to the
browser preload list.
Why SSL certificates expire — and what happens when they do
SSL certificates have expiry dates for security reasons. Shorter validity periods reduce the window of exposure if a certificate's private key is ever compromised. Since 2020, browsers no longer trust certificates with validity longer than 398 days (approximately 13 months), and the industry is moving toward 90-day certificates as the standard.
What happens when a certificate expires: All major browsers — Chrome, Firefox, Safari, and Edge — display a full-screen security warning blocking access to the site. The page is not accessible without the user explicitly bypassing the warning (which most users will not do). Email clients, APIs, and mobile apps that connect to expired-certificate endpoints may also fail silently.
MSP renewal checklist
- Audit all client certificates at least monthly.
- Set alerts at 60, 30, and 14 days before expiry.
- Use Let's Encrypt with auto-renewal (certbot, acme.sh) where possible.
- For cloud-hosted sites: use Cloudflare or AWS Certificate Manager for zero-maintenance managed certs.
- Document the renewal process for each client — who does it, how, and with what credentials.
- After renewal: verify the new cert is deployed correctly using this tool.
Automated renewal options
- Let's Encrypt + certbot — Free, runs via cron, handles Apache and Nginx automatically.
- Cloudflare Managed SSL — Zero config, renews automatically as part of Cloudflare's proxy.
- AWS Certificate Manager — Free managed certificates for AWS load balancers and CloudFront.
- Azure App Service Certificates — Managed certificates with auto-renewal for App Service apps.
- Google-managed SSL — Automatic renewal for Google Cloud Load Balancing.
Frequently asked questions
How do I check an SSL certificate?
Enter the domain name or hostname in the field above and click "Check Certificate". The tool connects directly to the server, performs a TLS handshake, and retrieves the certificate chain. Results include expiry date, issuer, Subject Alternative Names, TLS version, HSTS status, and a security score with recommendations.
How do I know if a certificate is expired?
The tool shows the exact expiry date with a days-remaining countdown. If expired, you'll see a red "Expired" status badge and a Critical finding. Expired certificates cause browser security warnings that block users — they must be renewed immediately. Even a few hours of downtime from an expired cert can significantly damage user trust.
What is TLS 1.3 and why should I use it?
TLS 1.3 is the latest version of the TLS protocol. It is faster than TLS 1.2 (requires one fewer round trip) and more secure — it removes outdated cipher suites and key exchange algorithms vulnerable to downgrade attacks. TLS 1.3 is supported by all modern browsers and major web servers (Apache, Nginx, IIS, Cloudflare). If your server only supports TLS 1.2, it still works, but enabling TLS 1.3 improves performance and security.
What is HSTS and how do I enable it?
HSTS tells browsers to always use HTTPS for your domain, protecting against SSL stripping attacks. Enable it by adding this header to your web server or CDN: Strict-Transport-Security: max-age=31536000; includeSubDomains. In Nginx: add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; In Apache: Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains". Cloudflare enables HSTS through Security > Edge Certificates > HTTP Strict Transport Security.
What does self-signed mean and why is it a problem?
A self-signed certificate is signed by the same entity that owns it — not by a trusted Certificate Authority. Self-signed certificates are mathematically valid but browsers have no way to verify their authenticity, since they're not in any trust chain. Browsers show a "Your connection is not private" or "Warning: Potential Security Risk" error. Self-signed certificates are fine for internal development and lab environments, but must never be used on public-facing services. Let's Encrypt provides free, browser-trusted certificates as an alternative.
What is a wildcard certificate?
A wildcard certificate covers all subdomains at one level using an asterisk. For example, *.example.com covers mail.example.com, www.example.com, and api.example.com, but NOT a.b.example.com. Wildcard certificates are convenient for organizations running many subdomains but carry a risk: if the private key is compromised, all covered subdomains are at risk. A separate wildcard cert per product line or security zone is good practice for high-risk environments.
What is the difference between DV, OV, and EV certificates?
DV (Domain Validated) certs verify only that you control the domain. They're issued in minutes and are free from Let's Encrypt. OV (Organization Validated) certs verify the company's legal existence — good for business sites where credibility matters. EV (Extended Validation) certs require rigorous vetting including legal, operational, and physical verification. For most websites, DV is sufficient and free. Financial institutions and regulated industries often require OV or EV. Note: modern browsers no longer display a prominent visual difference between DV, OV, and EV — the extended validation "green bar" was removed from Chrome in 2019 and Firefox in 2020.
How often should I renew SSL certificates?
Let's Encrypt certificates expire after 90 days and should be renewed automatically every 60 days using certbot or acme.sh. Commercially purchased certificates expire after 1 year (13 months maximum is enforced by browsers). Best practice: set up automated renewal, then monitor with alerts at 60, 30, and 14 days before expiry as a backup. This tool can be used to verify certificates across all your client domains on a regular schedule.