Seeing a padlock in a site's address bar is reassuring, but that padlock alone doesn't guarantee the certificate is actually healthy. It might expire tomorrow, be issued to the wrong domain, or have an incomplete chain. Checking the certificate lets you see those details in a few seconds.
Why Check an SSL Certificate?
Checking a certificate answers three questions at heart: is it valid (not expired and issued by a trusted authority), is it for the right site (does it match the domain), and when does it need renewing. All three matter whether you're managing your own site or want confidence before entering data on someone else's.
How to Check It (3 Ways)
1) From the browser
The fastest way: click the padlock in the address bar, go to "connection is secure," then the "certificate" details. There you'll see who issued the certificate, which domains it covers, and its validity dates.
2) With an online checker
If you want to enter a domain and see every detail on one screen, an online tool is the most practical option — it also shows the chain and any warnings. You can use our free tool from the box below.
3) From the command line (openssl)
For technical users, openssl is the most transparent method. To see the certificate a server presents:
To read the certificate's key fields directly, add one more step:
What the Results Mean
Whichever method you use, these are the key fields you'll see:
| Field | What it means |
|---|---|
| Issuer | The Certificate Authority (CA) that issued it. Should be a trusted CA. |
| Subject / CN | The domain the certificate was primarily issued to. |
| SAN (Subject Alt Names) | All domains the certificate covers (e.g. with and without www). |
| Valid From / To | The start and end of validity. Renew before the end date approaches. |
| Chain | The trust chain from the certificate up to the root. If it's incomplete, browsers warn. |
| Protocol / Cipher | The connection's TLS version and cipher suite. Should be TLS 1.2/1.3 only. |
Common Problems and What They Mean
- Expired — the certificate's validity date has passed. You'll need to renew it; the browser shows a "not secure" warning.
- Name mismatch — the certificate was issued to a different domain (e.g. it doesn't cover the non-www version). Check the SAN field.
- Self-signed — not issued by a trusted CA. Fine for testing, not for production.
- Incomplete chain — the intermediate certificates aren't installed; some devices treat the site as untrusted.
- Weak protocol — an old TLS version is in use. Only TLS 1.2/1.3 should be supported.
A certificate is only doing its job if it's valid, trusted, and matches your domain.