PublicSoftTools
Tools16 min read·PublicSoftTools Team·May 2026

SSL Checker — Check SSL Certificate Status

An SSL certificate (technically a TLS certificate) tells visitors their connection to your website is encrypted and that your domain has been verified. Expired, misconfigured, or untrusted SSL certificates cause browser security warnings that block users — and modern search engines factor HTTPS in rankings. The free SSL checker on PublicSoftTools verifies any domain's certificate status, expiry date, issuer, and chain validity.

How to Check an SSL Certificate

  1. Open the SSL checker.
  2. Enter the domain you want to check (e.g., example.com or www.example.com).
  3. Click Check SSL. The tool connects to the server and retrieves the certificate.
  4. Results show: expiry date (with days remaining), issuer, validity status, certificate chain, supported TLS versions, and any issues detected.
  5. A green status means the certificate is valid and trusted. Yellow means warnings (expiring soon, intermediate chain issues). Red means expired, untrusted, or mismatched.

SSL Certificate Fields Explained

Certificate fieldWhat it containsExampleWhy it matters
Subject / Common Name (CN)The domain name the certificate is issued forwww.example.comMust match the hostname you are accessing. Mismatch causes browser security error.
Subject Alternative Names (SAN)Additional domains covered by the same certificateexample.com, www.example.com, api.example.comModern certificates use SANs for multi-domain coverage. Browser validates against SAN list.
Issued by (Issuer)Certificate Authority that signed the certificateLet's Encrypt, DigiCert, GlobalSign, SectigoMust be a trusted CA. Browser/OS has a built-in trust store of accepted CAs.
Valid from / Not beforeStart date of certificate validity period2026-01-01Certificates presented before this date are invalid. Check server clock synchronisation.
Valid to / Not afterExpiry date of certificate validity period2026-04-01 (Let's Encrypt: 90 days)Expired certificates cause browser warnings and block access. Monitor and renew before expiry.
Certificate chainThe hierarchy from your certificate to a trusted root CAYour cert → Intermediate CA → Root CAFull chain must be present and valid. Missing intermediate causes some clients to reject the cert.
Protocol versionsTLS versions supported by the serverTLS 1.2, TLS 1.3TLS 1.0 and 1.1 are deprecated and should be disabled. TLS 1.3 is current standard.
Cipher suitesEncryption algorithms the server supportsTLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256Weak ciphers (RC4, 3DES) should be disabled. Modern ciphers with forward secrecy preferred.

Types of SSL Certificates

TypeValidation levelIssuance timeCostUse case
Domain Validation (DV)Automated DNS or HTTP validation that domain owner controls the domainMinutes (automated)Free (Let's Encrypt) to £10/yrPersonal sites, blogs, small services where domain ownership is sufficient proof
Organisation Validation (OV)CA verifies the organisation name, address, and phone number against business registries1–5 days£30–200/yrBusiness websites, APIs, customer portals where organisation identity matters
Extended Validation (EV)Rigorous vetting: legal existence, physical address, operational existence, domain control, authorisation1–2 weeks£100–500/yrHigh-trust sites (banking, healthcare, government) — though browser UI no longer differentiates
Wildcard (*.example.com)Any type (DV, OV, EV)Same as base typeHigher than single-domainCovers all subdomains of a domain (www, api, mail, etc.) — convenient but single certificate covers everything
Multi-SAN / Multi-domainAny typeSame as base typePer-SAN pricing typicalMultiple distinct domains on one certificate — useful for organisations with many domains

How SSL / TLS Works

SSL (Secure Sockets Layer) is the predecessor to TLS (Transport Layer Security) — the correct modern term is TLS, but "SSL" persists colloquially. TLS secures the connection between browser and server:

  1. TLS Handshake: Browser connects to server; they negotiate the TLS version and cipher suite to use
  2. Certificate exchange: Server sends its certificate. Browser verifies it is signed by a trusted CA, has not expired, and matches the domain.
  3. Key exchange: A shared session key is established using asymmetric cryptography (the server's public key from the certificate). In TLS 1.3, this uses Diffie-Hellman key exchange providing forward secrecy.
  4. Encrypted session: All subsequent data is encrypted with the symmetric session key. Even if an attacker captures the traffic, they cannot decrypt it without the session key.

The padlock in the browser address bar confirms this entire process succeeded — the connection is encrypted and the certificate is trusted.

Common SSL Certificate Problems

Certificate expired

The most common SSL problem. All browsers show a hard warning when a certificate expires — most users will leave immediately. Let's Encrypt certificates expire after 90 days (by design — encourages automation). Paid certificates typically last 1–2 years. Fix: renew the certificate immediately. Prevent: set up automated renewal (Certbot, Let's Encrypt) or calendar reminders 30–60 days before expiry.

Certificate doesn't match domain (hostname mismatch)

The certificate was issued for www.example.com but you are accessing example.com (or api.example.com). Fix: ensure the certificate covers all domains/subdomains via Subject Alternative Names (SAN). Use a wildcard certificate (*.example.com) to cover all subdomains at once.

Incomplete certificate chain

The server is presenting only the end-entity certificate, not the intermediate CA certificates. Most browsers have intermediate CAs cached and can work around this — but some mobile browsers, curl, and API clients cannot. Fix: configure your web server (nginx, Apache) to serve the full certificate chain (cert + intermediate + sometimes root).

Self-signed certificate

The certificate is signed by itself rather than a trusted CA. Common in development environments and internal tools. Browsers reject self-signed certificates with a security warning because there is no third-party verification of identity. Fix for production: obtain a proper certificate from Let's Encrypt (free) or a paid CA. For internal tools: consider a private CA or wildcard certificate for your internal domain.

SSL Certificate Management Best Practices

Free SSL Certificates: Let's Encrypt

Let's Encrypt is a free, automated, open CA run by the Internet Security Research Group (ISRG), backed by major tech companies. Key facts:

For any public website, Let's Encrypt is the correct default choice. Paid certificates are only needed for OV/EV validation levels, wildcard certificates when DNS automation is difficult, or when your hosting provider does not support Let's Encrypt.

Common Questions

What is the difference between HTTP and HTTPS?

HTTP (HyperText Transfer Protocol) transmits data in plain text — anyone who can intercept the connection (on the same WiFi network, at an ISP, etc.) can read or modify the data. HTTPS (HTTP Secure) adds TLS encryption — the data is encrypted end-to-end between browser and server. HTTPS is also required for many modern browser APIs (geolocation, service workers, notifications), prevents injection of ads/malware by ISPs, and is a positive ranking signal in Google search.

Does SSL make my website secure?

SSL/TLS secures the transport layer — data in transit between browser and server. It does not make the website itself secure. A website with HTTPS can still have SQL injection vulnerabilities, XSS, insecure authentication, or other application security issues. HTTPS ensures the connection to the site is private and the site's identity has been verified — not that the site is free of vulnerabilities. Security requires both transport security (HTTPS) and application security.

My SSL certificate is valid but Google still shows my site as "Not secure" — why?

This typically happens when a page has mixed content: the page loads over HTTPS but references some resources (images, scripts, stylesheets) via HTTP. The browser blocks or warns about those resources, and the overall connection is not considered secure. Fix: update all resource URLs on the page to HTTPS. Check for hardcoded http:// references in CSS, HTML, and JavaScript. A browser developer tools console scan will show all mixed content warnings.

Check SSL Certificate Status

Enter any domain to verify certificate validity, expiry date, issuer, and certificate chain — instantly. Free, no signup.

Open SSL Checker