Security10 min readFebruary 1, 2024

SSL Certificate Checker: How to Inspect, Validate & Fix SSL Issues

SSL certificates are the foundation of web security, but expired or misconfigured certificates can take your site offline instantly. Learn how to check, validate, and troubleshoot SSL certificates.

AdvertisementAd Slot — Article Header (728×90)

What Is an SSL/TLS Certificate?

An SSL/TLS certificate is a digital document that serves two purposes:

  1. Authentication — Proves that a server is who it claims to be
  2. Encryption — Enables encrypted communication between browser and server

When your browser connects to https://example.com, it checks the server's certificate to verify:

  • The certificate was issued by a trusted Certificate Authority (CA)
  • The certificate hasn't expired
  • The certificate's domain matches the site you're visiting
  • The certificate hasn't been revoked

If any check fails, the browser shows a security warning that blocks most users from continuing.

Types of SSL Certificates

Domain Validation (DV)

The CA only verifies you control the domain — no business identity check. Issued in minutes, often free (Let's Encrypt). Shows a padlock but no company name. Suitable for blogs, personal sites, and developer tools.

Organization Validation (OV)

The CA verifies the organization exists and controls the domain. Takes 1–3 days. Shows company name in certificate details. Suitable for business websites.

Extended Validation (EV)

The CA performs rigorous vetting of the organization's legal identity. Shows the company name in older browsers' address bars. Takes 1–2 weeks. Typically used by banks and e-commerce sites.

Wildcard Certificates

Covers a domain and all its subdomains: .example.com covers www, mail, api, blog — any single-level subdomain. Significantly cheaper than buying separate certificates.

Multi-Domain (SAN) Certificates

Covers multiple specific domains: example.com, example.net, api.example.com. Useful for organizations managing multiple domains.

Reading a Certificate: What Each Field Means

When you check a certificate, you'll see several fields:

Subject The entity the certificate was issued to. For DV certificates, this is just the domain. For OV/EV, it includes organization details. \u0060\u0060\u0060 CN=example.com O=Example Corporation C=US \u0060\u0060\u0060

Issuer The Certificate Authority that signed the certificate. \u0060\u0060\u0060 CN=R3 O=Let's Encrypt C=US \u0060\u0060\u0060

Valid From / Valid To The certificate's validity window. Most certificates are issued for 90 days (Let's Encrypt) to 1 year. Browsers reject certificates outside this window.

Subject Alternative Names (SANs) Lists all domains the certificate is valid for. A certificate for example.com might have SANs for www.example.com and api.example.com.

Public Key The server's public key, used to establish the encrypted session.

Fingerprint A hash of the entire certificate. Used to uniquely identify a certificate.

Serial Number A unique identifier assigned by the CA. Used for revocation checking.

Understanding the Certificate Chain

Certificates work in a chain of trust:

\u0060\u0060\u0060 Root CA Certificate (trusted by browsers/OS) └── Intermediate CA Certificate └── Your Domain Certificate \u0060\u0060\u0060

Root CAs — A small set of certificates (~50-150) embedded in browsers and operating systems. Examples: DigiCert, Sectigo, GlobalSign, ISRG (Let's Encrypt's root).

Intermediate CAs — Root CAs don't sign domain certificates directly. They use intermediate certificates to limit exposure if a signing key is compromised.

Domain Certificate — The certificate installed on your server for your specific domain.

Why the chain matters: If your server doesn't send the complete chain (domain + intermediate), some clients will show an error even though the certificate itself is valid. Always configure your server to serve the full chain.

Common SSL Errors and How to Fix Them

ERR_CERT_DATE_INVALID (Expired Certificate)

The certificate's Valid To date has passed.

Fix: Renew the certificate immediately. If you use Let's Encrypt, run \u0060certbot renew\u0060. Set up auto-renewal so this doesn't happen again.

ERR_CERT_COMMON_NAME_INVALID (Domain Mismatch)

The certificate's domain doesn't match the site being visited.

Fix: Check the Subject Alternative Names. Common causes:

  • Certificate issued for example.com but visiting www.example.com (or vice versa)
  • Using a wildcard cert for .example.com but visiting example.com (wildcards don't cover the root)
  • Wrong certificate installed on the server

ERR_CERT_AUTHORITY_INVALID (Untrusted CA)

The certificate was signed by a CA not trusted by the browser.

Fix: Use a certificate from a trusted CA. Common causes:

  • Self-signed certificate
  • Let's Encrypt root not yet trusted on older devices
  • Missing intermediate certificate in chain

SSL_ERROR_RX_RECORD_TOO_LONG

Usually indicates the server is returning HTTP on an HTTPS port.

Fix: Ensure your web server is configured to use TLS on port 443, not plain HTTP.

Mixed Content Warnings

Page loads over HTTPS but includes resources (images, scripts, CSS) over HTTP.

Fix: Update all resource URLs to use HTTPS or protocol-relative URLs (//example.com/resource).

SSL Certificate Best Practices

Auto-Renewal

Never let certificates expire manually. Let's Encrypt certificates last 90 days and should be renewed at 60 days. Use certbot with a cron job or systemd timer: \u0060\u0060\u0060bash 0 3 * certbot renew --quiet --post-hook "systemctl reload nginx" \u0060\u0060\u0060

HSTS (HTTP Strict Transport Security)

Tell browsers to always use HTTPS, even if a user types http://. Add this header: \u0060\u0060\u0060 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload \u0060\u0060\u0060

Start with a short max-age to test, then extend to 31536000 (1 year). Once you're confident, submit to the HSTS preload list.

OCSP Stapling

Instead of clients querying the CA to check if a certificate is revoked (slow), the server fetches and caches the CA's response and staples it to the TLS handshake. Faster and more private.

\u0060\u0060\u0060nginx ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 valid=300s; \u0060\u0060\u0060

Certificate Transparency (CT)

All publicly trusted certificates are logged in public CT logs, making it impossible to issue fraudulent certificates without detection. crt.sh lets you search all certificates issued for any domain — use it to detect unauthorized certificate issuance.

TLS Version Support

Disable old TLS versions (TLS 1.0 and 1.1 — both deprecated). Support only TLS 1.2 and TLS 1.3: \u0060\u0060\u0060nginx ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:...; \u0060\u0060\u0060

Setting Up Free SSL with Let's Encrypt

Let's Encrypt provides free, automated, open certificate authority. Here's how to get started:

For Nginx on Ubuntu/Debian: \u0060\u0060\u0060bash # Install Certbot sudo apt install certbot python3-certbot-nginx

# Get certificate sudo certbot --nginx -d example.com -d www.example.com

# Test auto-renewal sudo certbot renew --dry-run \u0060\u0060\u0060

For Apache: \u0060\u0060\u0060bash sudo apt install certbot python3-certbot-apache sudo certbot --apache -d example.com -d www.example.com \u0060\u0060\u0060

Let's Encrypt automatically configures your web server to serve the certificate and sets up auto-renewal.

Monitoring SSL Certificate Expiry

An expired SSL certificate takes your site offline for most users instantly. Set up multiple monitoring layers:

  1. Check expiry regularly — Use our SSL Checker to verify the current expiry date
  2. Set calendar reminders — At 30 days before expiry
  3. Configure monitoring alerts — Many monitoring services can alert you when expiry is within 30 days
  4. Verify auto-renewal is working — Don't assume — verify that certbot is actually renewing

SSL vs TLS: What's the Difference?

SSL (Secure Sockets Layer) was developed by Netscape in the 1990s. SSL 2.0 and 3.0 are now deprecated due to critical security vulnerabilities (POODLE, DROWN).

TLS (Transport Layer Security) is the modern replacement, developed by the IETF:

  • TLS 1.0 (1999) — deprecated, disable it
  • TLS 1.1 (2006) — deprecated, disable it
  • TLS 1.2 (2008) — still secure, widely used
  • TLS 1.3 (2018) — fastest and most secure, use this

Despite TLS being the actual protocol in use, the term "SSL certificate" persists because the industry adopted it before TLS replaced SSL.

AdvertisementAd Slot — Mid Article (300×250)
Try the tools mentioned in this article
SSL Certificate CheckerHTTP Headers Check