The browser shows a padlock in the address bar — and most website owners assume everything is fine with SSL. Until a hosting notification arrives saying the certificate expired three days ago, and visitors are seeing the dreaded "Your connection is not private" warning. Traffic drops, trust erodes, and search engines register a reliability signal.
What Is an SSL/TLS Certificate
An SSL certificate (technically TLS, but the term "SSL" stuck) is a digital document proving a server is genuinely who it claims to be. It contains a public encryption key and enables an encrypted connection between the browser and the server. Without it, data is transmitted in plain text — ISP, public Wi-Fi, or corporate proxy can read or tamper with traffic.
What a Certificate Contains
- Subject — the domain or organization the certificate was issued to
- Issuer — the Certificate Authority (CA) that signed it
- Validity period — Not Before and Not After dates
- SAN (Subject Alternative Names) — list of covered domains
- Signature algorithm — RSA or ECDSA; SHA-256 hash (SHA-1 is insecure)
- Fingerprint — unique hash for identification
The Chain of Trust
A browser trusts a certificate because it is signed by an organization the browser already trusts — a Certificate Authority. CAs form a hierarchy:
- Root CA — DigiCert, Let's Encrypt, Sectigo. Their certificates are embedded in operating systems and browsers.
- Intermediate CA — signed by the Root CA. This signs end-entity certificates.
- Leaf certificate — your website's certificate, signed by the Intermediate CA.
If the intermediate certificate is not installed on the server, the browser receives an incomplete chain and shows an error — even if the certificate itself is valid. This is one of the most common SSL misconfigurations.
Types of SSL Certificates
By Validation Level
- DV (Domain Validation) — confirms domain ownership only. Issued automatically in minutes. Used by Let's Encrypt, ZeroSSL.
- OV (Organization Validation) — CA verifies the organization's existence. Suited for corporate sites.
- EV (Extended Validation) — maximum verification: legal entity, physical address.
By Domain Coverage
- Single-domain — one domain only
- Wildcard (*.example.com) — all first-level subdomains
- Multi-domain (SAN) — multiple different domains
The current maximum validity is 13 months (397 days). Let's Encrypt issues for 90 days, incentivizing automated renewal.
How to Check SSL Certificate Manually
Via Browser
Click the padlock in the address bar. In Chrome: padlock → "Connection is secure" → "Certificate is valid". Shows who it was issued to, who signed it, validity period, and encryption algorithm. Drawback: does not warn about approaching expiration.
Via OpenSSL
openssl s_client -connect example.com:443 -servername example.com— full TLS handshake and certificate chainopenssl s_client -connect example.com:443 < /dev/null | openssl x509 -noout -dates— validity dates onlyopenssl s_client -connect example.com:443 < /dev/null | openssl x509 -noout -text | grep -A1 "Subject Alternative"— SAN domain list
Via curl
curl -vI https://example.com 2>&1 | grep -E "expire|issuer|subject"— expiration date and issuercurl --cert-status https://example.com— OCSP revocation status
How to Check SSL Certificate Online
Check SSL certificate with Enterno.io and get in seconds: complete certificate details, expiration date and days remaining, full trust chain, SAN domain list, supported TLS protocols, and a warning if expiring within 14 days.
Common SSL Errors
- NET::ERR_CERT_DATE_INVALID — certificate expired or server clock is wrong
- NET::ERR_CERT_COMMON_NAME_INVALID — domain does not match CN/SAN
- NET::ERR_CERT_AUTHORITY_INVALID — incomplete certificate chain
- ERR_SSL_PROTOCOL_ERROR — incompatible TLS versions (server only supports TLS 1.0/1.1)
- Mixed Content — some resources load over HTTP
Why Certificates Expire Unexpectedly
Technically — the date is known in advance. But in practice:
- Auto-renewal broke silently — certbot ran for years, then an nginx config change broke the domain challenge
- The responsible person changed — reminders go to a former colleague's email
- Certificate purchased through hosting panel — no auto-renewal, notifications go to a control panel nobody checks
- Multiple subdomains — the main domain auto-renews, but API документацию.example.com does not
SSL certificate expiration consistently ranks in the top 5 causes of unplanned outages. Ericsson, Microsoft, and Spotify have all made headlines because of expired certificates.
SSL Certificate Monitoring
Set up SSL monitoring in Enterno.io: add a domain, select SSL check type, configure notifications (email, Telegram, Slack, webhook). Receive warnings 14 days before expiration and critical alerts 3 days before.
Monitoring tracks not only the expiration date but also chain correctness, CA changes, and fingerprint changes — the last one matters for detecting unauthorized certificate replacement.
Additional Hardening
- Certbot: verify
systemctl status certbot.timer. Set up--deploy-hookto reload nginx after renewal. - HSTS: enable
Strict-Transport-Security: max-age=31536000; includeSubDomains - OCSP Stapling: speeds up revocation checks
- CAA record: limits which CAs can issue certificates for your domain
SSL Certificate Checklist
- Certificate is valid
- Domain matches CN or is listed in SAN
- Chain is complete: leaf + intermediate + root
- Signature algorithm: SHA-256 or stronger
- Protocols: TLS 1.2 and TLS 1.3, TLS 1.0/1.1 disabled
- No mixed content
- HSTS header is set
- Automated monitoring configured with 14+ day advance warnings
Conclusion
An SSL certificate is an ongoing responsibility, not a one-time setup. You need to check ssl certificate status regularly. Browser, OpenSSL, curl, and the online checker give you an instant snapshot. But only automated monitoring guarantees you will know about a problem before your users do.