SSL Checker — Check SSL Certificate Status
An SSL certificate (technically a TLS certificate) tells visitors their connection to your website is encrypted and that your domain has been verified. Expired, misconfigured, or untrusted SSL certificates cause browser security warnings that block users — and modern search engines factor HTTPS in rankings. The free SSL checker on PublicSoftTools verifies any domain's certificate status, expiry date, issuer, and chain validity.
How to Check an SSL Certificate
- Open the SSL checker.
- Enter the domain you want to check (e.g., example.com or www.example.com).
- Click Check SSL. The tool connects to the server and retrieves the certificate.
- Results show: expiry date (with days remaining), issuer, validity status, certificate chain, supported TLS versions, and any issues detected.
- A green status means the certificate is valid and trusted. Yellow means warnings (expiring soon, intermediate chain issues). Red means expired, untrusted, or mismatched.
SSL Certificate Fields Explained
| Certificate field | What it contains | Example | Why it matters |
|---|---|---|---|
| Subject / Common Name (CN) | The domain name the certificate is issued for | www.example.com | Must match the hostname you are accessing. Mismatch causes browser security error. |
| Subject Alternative Names (SAN) | Additional domains covered by the same certificate | example.com, www.example.com, api.example.com | Modern certificates use SANs for multi-domain coverage. Browser validates against SAN list. |
| Issued by (Issuer) | Certificate Authority that signed the certificate | Let's Encrypt, DigiCert, GlobalSign, Sectigo | Must be a trusted CA. Browser/OS has a built-in trust store of accepted CAs. |
| Valid from / Not before | Start date of certificate validity period | 2026-01-01 | Certificates presented before this date are invalid. Check server clock synchronisation. |
| Valid to / Not after | Expiry date of certificate validity period | 2026-04-01 (Let's Encrypt: 90 days) | Expired certificates cause browser warnings and block access. Monitor and renew before expiry. |
| Certificate chain | The hierarchy from your certificate to a trusted root CA | Your cert → Intermediate CA → Root CA | Full chain must be present and valid. Missing intermediate causes some clients to reject the cert. |
| Protocol versions | TLS versions supported by the server | TLS 1.2, TLS 1.3 | TLS 1.0 and 1.1 are deprecated and should be disabled. TLS 1.3 is current standard. |
| Cipher suites | Encryption algorithms the server supports | TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256 | Weak ciphers (RC4, 3DES) should be disabled. Modern ciphers with forward secrecy preferred. |
Types of SSL Certificates
| Type | Validation level | Issuance time | Cost | Use case |
|---|---|---|---|---|
| Domain Validation (DV) | Automated DNS or HTTP validation that domain owner controls the domain | Minutes (automated) | Free (Let's Encrypt) to £10/yr | Personal sites, blogs, small services where domain ownership is sufficient proof |
| Organisation Validation (OV) | CA verifies the organisation name, address, and phone number against business registries | 1–5 days | £30–200/yr | Business websites, APIs, customer portals where organisation identity matters |
| Extended Validation (EV) | Rigorous vetting: legal existence, physical address, operational existence, domain control, authorisation | 1–2 weeks | £100–500/yr | High-trust sites (banking, healthcare, government) — though browser UI no longer differentiates |
| Wildcard (*.example.com) | Any type (DV, OV, EV) | Same as base type | Higher than single-domain | Covers all subdomains of a domain (www, api, mail, etc.) — convenient but single certificate covers everything |
| Multi-SAN / Multi-domain | Any type | Same as base type | Per-SAN pricing typical | Multiple distinct domains on one certificate — useful for organisations with many domains |
How SSL / TLS Works
SSL (Secure Sockets Layer) is the predecessor to TLS (Transport Layer Security) — the correct modern term is TLS, but "SSL" persists colloquially. TLS secures the connection between browser and server:
- TLS Handshake: Browser connects to server; they negotiate the TLS version and cipher suite to use
- Certificate exchange: Server sends its certificate. Browser verifies it is signed by a trusted CA, has not expired, and matches the domain.
- Key exchange: A shared session key is established using asymmetric cryptography (the server's public key from the certificate). In TLS 1.3, this uses Diffie-Hellman key exchange providing forward secrecy.
- Encrypted session: All subsequent data is encrypted with the symmetric session key. Even if an attacker captures the traffic, they cannot decrypt it without the session key.
The padlock in the browser address bar confirms this entire process succeeded — the connection is encrypted and the certificate is trusted.
Common SSL Certificate Problems
Certificate expired
The most common SSL problem. All browsers show a hard warning when a certificate expires — most users will leave immediately. Let's Encrypt certificates expire after 90 days (by design — encourages automation). Paid certificates typically last 1–2 years. Fix: renew the certificate immediately. Prevent: set up automated renewal (Certbot, Let's Encrypt) or calendar reminders 30–60 days before expiry.
Certificate doesn't match domain (hostname mismatch)
The certificate was issued for www.example.com but you are accessing example.com (or api.example.com). Fix: ensure the certificate covers all domains/subdomains via Subject Alternative Names (SAN). Use a wildcard certificate (*.example.com) to cover all subdomains at once.
Incomplete certificate chain
The server is presenting only the end-entity certificate, not the intermediate CA certificates. Most browsers have intermediate CAs cached and can work around this — but some mobile browsers, curl, and API clients cannot. Fix: configure your web server (nginx, Apache) to serve the full certificate chain (cert + intermediate + sometimes root).
Self-signed certificate
The certificate is signed by itself rather than a trusted CA. Common in development environments and internal tools. Browsers reject self-signed certificates with a security warning because there is no third-party verification of identity. Fix for production: obtain a proper certificate from Let's Encrypt (free) or a paid CA. For internal tools: consider a private CA or wildcard certificate for your internal domain.
SSL Certificate Management Best Practices
- Automate renewal: Let's Encrypt + Certbot provides free automated certificate management. Most hosting providers and CDNs (Cloudflare, Vercel, Netlify, AWS ACM) auto-renew certificates. Manual renewal is an outage waiting to happen.
- Monitor expiry across all domains: Organisations often have dozens or hundreds of certificates across different services, environments, and subdomains. Certificate expiry monitoring tools (UptimeRobot, StatusCake, Better Uptime) alert 30 days before expiry.
- Use a CDN with managed certificates: Cloudflare, Fastly, AWS CloudFront all provide and automatically renew SSL certificates. This offloads certificate management to the provider.
- Enable HSTS (HTTP Strict Transport Security): An HTTP response header that tells browsers to always use HTTPS for this domain, even if the user types http://. Prevents SSL stripping attacks.
- Disable outdated TLS versions: TLS 1.0 and 1.1 are deprecated and insecure. Configure your server to accept only TLS 1.2 and 1.3.
Free SSL Certificates: Let's Encrypt
Let's Encrypt is a free, automated, open CA run by the Internet Security Research Group (ISRG), backed by major tech companies. Key facts:
- Issues DV (Domain Validation) certificates — free, automated, fully trusted by all major browsers
- Certificates expire after 90 days — designed to encourage automation (Certbot handles auto-renewal)
- Wildcard certificates available via DNS-01 challenge (requires DNS API access)
- Rate limits apply — max 50 certificates per registered domain per week (sufficient for most users)
- Used by over 400 million active certificates worldwide (as of 2025)
For any public website, Let's Encrypt is the correct default choice. Paid certificates are only needed for OV/EV validation levels, wildcard certificates when DNS automation is difficult, or when your hosting provider does not support Let's Encrypt.
Common Questions
What is the difference between HTTP and HTTPS?
HTTP (HyperText Transfer Protocol) transmits data in plain text — anyone who can intercept the connection (on the same WiFi network, at an ISP, etc.) can read or modify the data. HTTPS (HTTP Secure) adds TLS encryption — the data is encrypted end-to-end between browser and server. HTTPS is also required for many modern browser APIs (geolocation, service workers, notifications), prevents injection of ads/malware by ISPs, and is a positive ranking signal in Google search.
Does SSL make my website secure?
SSL/TLS secures the transport layer — data in transit between browser and server. It does not make the website itself secure. A website with HTTPS can still have SQL injection vulnerabilities, XSS, insecure authentication, or other application security issues. HTTPS ensures the connection to the site is private and the site's identity has been verified — not that the site is free of vulnerabilities. Security requires both transport security (HTTPS) and application security.
My SSL certificate is valid but Google still shows my site as "Not secure" — why?
This typically happens when a page has mixed content: the page loads over HTTPS but references some resources (images, scripts, stylesheets) via HTTP. The browser blocks or warns about those resources, and the overall connection is not considered secure. Fix: update all resource URLs on the page to HTTPS. Check for hardcoded http:// references in CSS, HTML, and JavaScript. A browser developer tools console scan will show all mixed content warnings.
Check SSL Certificate Status
Enter any domain to verify certificate validity, expiry date, issuer, and certificate chain — instantly. Free, no signup.
Open SSL Checker