Try the SSL Checker

SSL Checker — Verify Certificate Validity, Expiry & Chain Instantly

By sadiqbd · June 6, 2026

SSL Checker — Verify Certificate Validity, Expiry & Chain Instantly

An expired or misconfigured SSL certificate takes your site down instantly

The browser padlock. HTTPS. The warning page that stops users cold — "Your connection is not private." SSL/TLS certificates are so deeply embedded in how the web works that most people only notice them when something goes wrong. And when they go wrong, the consequences are immediate: users can't access the site, Google marks it as unsafe, and email clients may reject connections.

An SSL checker inspects a domain's certificate and tells you whether it's valid, who issued it, when it expires, and whether the chain is complete.

What an SSL Certificate Does

An SSL/TLS certificate serves two purposes:

  1. Encryption — establishes an encrypted channel between the browser and server, preventing eavesdropping on transmitted data (passwords, payment information, personal data)

  2. Identity verification — confirms the website is actually controlled by the entity the certificate says it is (for DV certificates: confirms domain control; for OV/EV: confirms organisation identity)

When a browser connects to an HTTPS site:

  1. The server presents its certificate
  2. The browser checks it's issued by a trusted Certificate Authority (CA)
  3. It verifies the certificate is valid, not expired, and matches the domain
  4. It verifies the certificate chain from leaf → intermediate → root CA
  5. If all checks pass, a secure connection is established

Any failure in this chain produces a browser security warning.

Certificate Types

DV (Domain Validation): The CA only verifies domain control — the applicant proves they control the domain (via DNS record, email, or file). Fastest to issue (minutes to hours). No business verification. The most common type — used by Let's Encrypt, and most standard web hosting.

OV (Organization Validation): The CA verifies both domain control and the organisation's legal existence. Takes 1–3 days. Browser shows no additional visual indicator over DV, but the organisation details are in the certificate.

EV (Extended Validation): The most rigorous identity verification — organisation, jurisdiction, and legal existence all verified. Historically showed green bar in browsers (now deprecated in most browsers). Mainly used by financial institutions and high-security sites.

Wildcard certificates: Cover a domain and all subdomains at one level: *.example.com covers www.example.com, app.example.com, mail.example.com, but not sub.app.example.com.

Multi-domain (SAN) certificates: Cover multiple distinct domains: example.com, example.net, otherdomain.com — all in one certificate.

How to Use the SSL Checker on sadiqbd.com

  1. Enter the domain — e.g. example.com or subdomain.example.com
  2. Run the check — the tool connects to the server and inspects the certificate
  3. Read the results:
    • Valid / Invalid — is the certificate trusted?
    • Issued to — which domain(s) are covered?
    • Issued by — which Certificate Authority?
    • Valid from / Valid until — certificate lifespan and expiry date
    • Days until expiry — time remaining
    • Certificate chain — is the full chain served correctly?
    • Protocol/cipher — TLS version and cipher suite in use

What to Look For in SSL Checker Results

Expiry date

The most important item. A certificate that expired even one second ago produces a browser warning for all visitors. Check:

  • More than 30 days remaining: fine
  • 7–30 days remaining: set up renewal urgently
  • Under 7 days: emergency — renew immediately
  • Expired: site is showing security warnings to all users

Certificate matches the domain

The "issued to" field must match the domain being checked. A certificate for www.example.com won't cover example.com unless it explicitly includes both as Subject Alternative Names (SANs). A mismatch produces a browser warning.

Chain completeness

The certificate chain runs from your leaf certificate → intermediate CA → root CA. If the server only serves the leaf certificate without the intermediates, some clients (particularly mobile devices and non-browser clients) can't verify the chain and refuse to connect. The checker reveals if intermediates are missing.

TLS version

TLS 1.0 and 1.1 are deprecated and insecure — browsers block them. Servers should use TLS 1.2 (minimum) and TLS 1.3 (preferred). The checker shows which protocol version is negotiated.

Real-World Examples

Diagnosing a browser security warning

Users report a "Your connection is not private" warning. SSL checker results:

Certificate expired 3 days ago.

The auto-renewal process failed (common with Let's Encrypt — the renewal cron job stopped working, or the server's renewal script encountered an error). Solution: manually run certificate renewal (certbot renew --force-renewal) and restart the web server.

Verifying a new certificate installation

After installing a new wildcard certificate, check:

  • Issued to: *.example.com
  • Valid until: 1 year from now ✓
  • Chain: Complete (root → intermediate → leaf) ✓
  • TLS version: TLS 1.3 ✓

Everything is correctly installed.

Detecting an expired root on a subdomain

The main domain checks out but a recently added subdomain shows a warning. SSL checker:

Certificate not trusted — missing intermediate certificate.

The server was configured with only the leaf certificate, not the full chain. Add the intermediate CA certificate to the server's certificate file.

Pre-launch certificate check

Before going live with a new domain, run the SSL checker to verify the certificate is correctly installed before announcing the launch.

Let's Encrypt and Certificate Automation

Let's Encrypt is a free, automated CA that has dramatically increased HTTPS adoption. Key characteristics:

  • Free — no cost for DV certificates
  • 90-day validity — shorter than traditional certificates, requiring automated renewal
  • Automated — tools like Certbot handle installation and auto-renewal via cron jobs
  • Widely trusted — included in all major browser and OS trust stores

The 90-day expiry means Let's Encrypt certificates are almost always set up with auto-renewal. When it works, you never think about certificate renewal. When the renewal script breaks (server reboot changed cron, file permissions issue, domain validation failure), the certificate expires and users see warnings. The SSL checker's "days remaining" field catches this before users do.

Tips for SSL Certificate Management

Monitor expiry dates proactively. Set up monitoring that alerts you when a certificate has fewer than 30 days remaining. Tools like UptimeRobot, Healthchecks.io, or your server monitoring solution can do this automatically.

Test after every certificate update. After any certificate installation or renewal, run the SSL checker to confirm the chain is complete and the new certificate is being served correctly.

Use the SSL checker for third-party dependencies. Your own certificate may be fine, but if you embed third-party scripts or APIs with expired certificates, your users may still see mixed-content warnings or errors.

Wildcard vs. multi-domain vs. individual. Wildcards cover unlimited subdomains at one level — convenient for dynamic environments. Multi-domain certificates are better when covering a known list of specific domains. Individual certificates are simplest for single-domain deployments.

Frequently Asked Questions

What causes "certificate not trusted" errors? The most common causes: certificate expired, certificate issued by a CA not in the browser's trust store, certificate doesn't match the domain, intermediate certificates missing from the chain, or certificate issued with SHA-1 signature (now insecure).

Can I check SSL certificates for internal/private domains? The SSL checker needs to reach the domain over the public internet. Internal domains (e.g. app.internal) aren't reachable publicly. Use browser developer tools or openssl s_client -connect for internal certificate checks.

What is HSTS and how does it relate to SSL? HTTP Strict Transport Security (HSTS) instructs browsers to only connect via HTTPS and refuse HTTP connections for a specified period. It's a separate HTTP header that complements SSL but requires SSL to be properly configured first.

Is a free Let's Encrypt certificate as secure as a paid certificate? For DV certificates, yes — the encryption strength is identical. Let's Encrypt and paid DV certificates use the same TLS encryption. Paid OV/EV certificates provide additional identity verification, but encryption quality is the same.

Is the SSL checker free? Yes — completely free, no sign-up required.

SSL certificate issues are silent until they're very loud — one day everything is fine, the next day your site is showing security warnings to every visitor. The checker takes 10 seconds and gives you the full picture.

Try the SSL Checker free at sadiqbd.com — verify any domain's certificate, expiry, and chain status instantly.

Try the related tool:
Open tool