How to Check a Website's SSL Certificate: Step-by-Step Guide
An SSL certificate is a digital document that verifies a website's identity and encrypts data between the browser and server. Checking an SSL certificate helps ensure the connection is secure, the certificate is valid, and it's properly configured.
Why SSL Certificate Checks Matter
An expired or misconfigured certificate is more than a technical issue:
- Lost visitors — browsers display a "Your connection is not private" warning, and 85% of users leave immediately
- SEO ranking drop — Google uses SSL/TLS проверку as a ranking factor
- Data vulnerability — without encryption, passwords, form data, and cookies are sent in plain text
- Payment issues — PCI DSS requires TLS for processing payment data
- Trust loss — users associate the padlock icon with reliability
What to Check in an SSL Certificate
1. Expiration Date
The most common issue is an expired certificate. Even with automatic renewal via Let's Encrypt, things can go wrong: DNS changed, cron broke, disk filled up.
It's recommended to check expiration regularly and set up alerts for 30, 14, and 7 days before expiry. The enterno.io SSL checker shows the exact expiration date and remaining days.
2. Certificate Chain
An SSL certificate only works when the browser can verify the entire chain: your certificate → intermediate CA → root CA. If the intermediate certificate is not installed on the server, some clients (especially mobile) will show an error.
Common chain issues:
- Missing intermediate certificate
- Incorrect certificate order in the file
- Outdated intermediate CA (e.g., revoked IdenTrust for Let's Encrypt)
- Self-signed certificate without adding to trust store
3. Domain Name (Common Name / SAN)
The certificate must be issued for your exact domain. Check that:
- The main domain (example.com) is listed in Subject Alternative Name (SAN)
- The www.example.com subdomain is also covered
- A wildcard certificate (*.example.com) does not cover the bare domain without www
- A multi-domain certificate contains all required domains
4. TLS Protocol and Ciphers
A modern site should support TLS 1.2 and TLS 1.3. Older protocols are insecure:
| Protocol | Status | Action |
|---|---|---|
| SSL 2.0 / 3.0 | Vulnerable (POODLE, DROWN) | Must disable |
| TLS 1.0 | Deprecated (PCI DSS prohibits) | Disable |
| TLS 1.1 | Deprecated | Disable |
| TLS 1.2 | Secure | Support |
| TLS 1.3 | Recommended | Enable when possible |
5. Certificate Type
There are three validation levels:
- DV (Domain Validation) — confirms domain ownership only. Suitable for most websites
- OV (Organization Validation) — confirms the organization. For business websites
- EV (Extended Validation) — extended verification. For financial institutions and e-commerce
Methods for Checking SSL Certificates
Online Tools
The most convenient method is to use the enterno.io SSL checker. Enter the domain name, and the tool will show:
- Certificate expiration date
- Issuer (CA) and validation type
- Certificate chain
- Supported TLS protocols
- Subject Alternative Names
Via Browser
Click the padlock icon in the address bar → "Connection is secure" → "Certificate is valid". You can see basic information here, but not all technical details.
Command Line (OpenSSL)
For deep analysis, use openssl:
# Show certificate
openssl s_client -connect example.com:443 -servername example.com < /dev/null 2>/dev/null | openssl x509 -text -noout
# Check expiration
openssl s_client -connect example.com:443 -servername example.com < /dev/null 2>/dev/null | openssl x509 -dates -noout
# Check chain
openssl s_client -connect example.com:443 -servername example.com -showcerts < /dev/nullCommon Issues and Solutions
ERR_CERT_DATE_INVALID
Certificate has expired. Renew it through your hosting panel or manually via certbot:
sudo certbot renew --force-renewalERR_CERT_AUTHORITY_INVALID
The browser cannot verify the chain of trust. Make sure intermediate certificates are installed. For nginx, concatenate the files:
cat certificate.crt intermediate.crt > fullchain.crtERR_SSL_VERSION_OR_CIPHER_MISMATCH
Server and browser cannot agree on a protocol. Update TLS configuration:
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;NET::ERR_CERT_COMMON_NAME_INVALID
The domain doesn't match the one in the certificate. Reissue the certificate with the correct domain.
Automatic Certificate Renewal
Let's Encrypt issues certificates for 90 days. Set up automatic renewal:
# Add to crontab
0 3 * * * certbot renew --quiet --post-hook "systemctl reload nginx"Even with auto-renewal, regularly check your certificate via the enterno.io SSL checker — it helps detect issues that certbot doesn't track: outdated ciphers, incomplete chains, and approaching expiration.
SSL Check Checklist
- Certificate is not expired and has more than 14 days remaining
- Certificate chain is complete (intermediate certificates installed)
- Domain matches SAN entries
- TLS 1.2 and/or TLS 1.3 supported
- SSL 3.0 and TLS 1.0/1.1 disabled
- Secure cipher suites are used
- HSTS header is configured
- OCSP Stapling is enabled
- No mixed content on pages
- Auto-renewal is set up and working
Check your website right now
Check now →