SSL Certificate Checker

SSL/TLS certificates serve two purposes: encrypting data in transit between a browser and server, and verifying the server's identity. When you see the padlock icon in your browser, it means the connection uses TLS (Transport Layer Security — the modern successor to SSL) to encrypt all data exchanged. Without it, anyone on the same network (coffee shop WiFi, corporate network, ISP) can read transmitted data in plaintext — including passwords, credit card numbers, and personal information. Certificates contain the domain name, the certificate authority (CA) that issued it, the public key, validity dates, and a digital signature. Domain Validation (DV) certificates verify only domain ownership and are available free from Let's Encrypt — they are sufficient for most websites. Organization Validation (OV) and Extended Validation (EV) certificates additionally verify the organization's legal identity. Certificate chains link your certificate to a trusted root CA through intermediate certificates. This checker validates the entire chain, expiration dates, and configuration. It makes a network request to check the live certificate — no user data is transmitted.

The most frequent SSL problems are expired certificates, mismatched domain names, incomplete certificate chains, and outdated protocols. An expired certificate causes browsers to display a full-page warning that blocks most visitors — Let's Encrypt certificates expire every 90 days, so automated renewal (via certbot or your hosting provider) is essential. A domain mismatch occurs when the certificate is issued for www.example.com but the site is accessed at example.com (or vice versa) — SAN (Subject Alternative Name) certificates should cover both. Incomplete chains happen when your server sends the leaf certificate but not the intermediate certificate, causing validation failures on some devices. Protocol issues include still supporting TLS 1.0 or 1.1 (deprecated since 2020) or using weak cipher suites. Modern best practice is TLS 1.2 minimum with TLS 1.3 preferred. HSTS (HTTP Strict Transport Security) headers tell browsers to always use HTTPS, preventing downgrade attacks. The recommended HSTS header is max-age=31536000 (1 year) with includeSubDomains. This checker flags all these issues and provides specific remediation steps.