Seeing a padlock in a site's address bar is reassuring, but that padlock alone doesn't guarantee the certificate is actually healthy. It might expire tomorrow, be issued to the wrong domain, or have an incomplete chain. Checking the certificate lets you see those details in a few seconds.

Why Check an SSL Certificate?

Checking a certificate answers three questions at heart: is it valid (not expired and issued by a trusted authority), is it for the right site (does it match the domain), and when does it need renewing. All three matter whether you're managing your own site or want confidence before entering data on someone else's.

How to Check It (3 Ways)

1) From the browser

The fastest way: click the padlock in the address bar, go to "connection is secure," then the "certificate" details. There you'll see who issued the certificate, which domains it covers, and its validity dates.

2) With an online checker

If you want to enter a domain and see every detail on one screen, an online tool is the most practical option — it also shows the chain and any warnings. You can use our free tool from the box below.

3) From the command line (openssl)

For technical users, openssl is the most transparent method. To see the certificate a server presents:

openssl s_client -connect example.com:443 -servername example.com

To read the certificate's key fields directly, add one more step:

openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -issuer -subject -dates

What the Results Mean

Whichever method you use, these are the key fields you'll see:

FieldWhat it means
IssuerThe Certificate Authority (CA) that issued it. Should be a trusted CA.
Subject / CNThe domain the certificate was primarily issued to.
SAN (Subject Alt Names)All domains the certificate covers (e.g. with and without www).
Valid From / ToThe start and end of validity. Renew before the end date approaches.
ChainThe trust chain from the certificate up to the root. If it's incomplete, browsers warn.
Protocol / CipherThe connection's TLS version and cipher suite. Should be TLS 1.2/1.3 only.
Don't lose track of the expiry The most common thing that happens to certificates is expiring at the worst moment. Use our SSL Expiry Reminder to keep an eye on the end date.

Common Problems and What They Mean

A certificate is only doing its job if it's valid, trusted, and matches your domain.

G
GetYourSSL Team
We translate the SSL/TLS world into plain English (and Turkish). Independent affiliate partners of SSL.com, focused on helping you pick the right certificate — not the most expensive one.