Complete SSL Certificate Checker Guide

How SSL/TLS Certificates Work

SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security) are cryptographic protocols that provide secure communication over the internet. When you see the padlock icon in your browser and "https://" in the URL, that's SSL/TLS in action.

An SSL/TLS certificate serves two critical functions: authentication (proving the website is who it claims to be) and encryption (protecting data in transit from eavesdropping). Without a valid certificate, browsers display scary warning messages that drive users away.

The SSL/TLS Handshake Process

When you visit an HTTPS website, here's what happens in milliseconds:

1. Client Hello: Your browser sends supported cipher suites and TLS version
2. Server Hello: Server responds with chosen cipher suite and its SSL certificate
3. Certificate Verification: Browser validates the certificate against trusted Certificate Authorities (CAs)
4. Key Exchange: Client and server establish shared encryption keys
5. Encrypted Communication: All subsequent data is encrypted using the established keys

Certificate Anatomy

An SSL certificate contains several key components:

• Subject: The domain name(s) the certificate secures
• Issuer: The Certificate Authority that issued the certificate
• Validity Period: Start and end dates (typically 90 days for Let's Encrypt, 1 year for commercial CAs)
• Public Key: Used for encryption
• Signature: CA's digital signature proving authenticity
• Subject Alternative Names (SANs): Additional domains covered by the certificate

Types of SSL Certificates

Domain Validated (DV): Basic validation proving you control the domain. Issued within minutes. Free options available (Let's Encrypt). Best for blogs and small sites.

Organization Validated (OV): Validates domain ownership plus organization identity. Takes 1-3 days. Shows organization name in certificate details. Good for businesses.

Extended Validation (EV): Most rigorous validation including legal, physical, and operational existence of organization. Takes 1-2 weeks. Formerly showed green bar in browsers (removed by most browsers in 2019+). Used by banks and large enterprises.

Wildcard Certificates: Secures a domain and all its subdomains (*.example.com covers blog.example.com, shop.example.com, etc.). More expensive but convenient for sites with many subdomains.

Certificate Expiration Monitoring

An expired SSL certificate is one of the most embarrassing and damaging incidents for any website. Browsers display full-page warnings, users can't access your site, and your reputation suffers. Yet certificate expiration remains surprisingly common, even affecting major companies.

Why Certificates Expire

Certificate lifespans have been deliberately shortened over time to improve security:

• 2015: Maximum validity was 5 years
• 2018: Reduced to 2 years (825 days)
• 2020: Reduced to 1 year (398 days)
• Let's Encrypt: 90 days (encourages automation)
• Proposed: Some CAs considering 45-day certificates

Shorter lifespans mean compromised certificates can't be exploited as long, but they also require more diligent monitoring and renewal processes.

Automated Monitoring Best Practices

Manual tracking of certificate expiration is error-prone. Implement these automated monitoring strategies:

1. Set Multiple Alerts: Configure alerts at 30, 14, 7, and 1 day before expiration. Different alert thresholds catch issues at various stages.
2. Monitor All Domains: Don't forget subdomains, API endpoints, staging environments, and internal services. Each needs its own certificate.
3. Check Chain Validity: An expired intermediate certificate can break your entire site even if your leaf certificate is valid.
4. Test Alert Mechanisms: Verify alerts actually reach the right people and trigger appropriate responses.
5. Document Renewal Procedures: Ensure multiple team members know how to renew certificates, not just one person.

Using HTTP Tiger's SSL Checker

HTTP Tiger's SSL Certificate Checker provides comprehensive monitoring:

Automation with Let's Encrypt

Let's Encrypt has revolutionized SSL by providing free certificates with automatic renewal:

# Install Certbot
sudo apt-get update
sudo apt-get install certbot python3-certbot-apache

# Get certificate and configure Apache automatically
sudo certbot --apache -d example.com -d www.example.com

# Test automatic renewal
sudo certbot renew --dry-run

Certbot automatically renews certificates 30 days before expiration. Set up a cron job to check twice daily:

0 0,12 * * * certbot renew --quiet --post-hook "systemctl reload apache2"

Common SSL Errors and How to Fix Them

SSL errors are cryptic by nature, but most fall into predictable categories. Here's how to diagnose and fix the most common ones.

Error: Certificate Has Expired

What it means: The certificate's validity period has ended.

How to fix:

1. Renew the certificate immediately through your CA or Let's Encrypt
2. Install the new certificate on your server
3. Restart your web server to load the new certificate
4. Verify the new certificate is being served: openssl s_client -connect example.com:443

Error: Certificate Name Mismatch

What it means: The domain in the certificate doesn't match the domain you're visiting (visiting www.example.com but certificate is for example.com).

How to fix:

• Option 1: Get a certificate that includes all domain variations (use SANs: example.com, www.example.com)
• Option 2: Use a wildcard certificate (*.example.com)
• Option 3: Redirect one domain to the other (e.g., www redirects to non-www)

Error: Certificate Not Trusted / Unknown Issuer

What it means: The certificate wasn't issued by a trusted Certificate Authority, or the certificate chain is incomplete.

How to fix:

# Check certificate chain
openssl s_client -connect example.com:443 -showcerts

# Verify all intermediate certificates are installed
# Most CAs provide a "full chain" or "bundle" file

Install the full certificate chain, not just your domain certificate. The chain file typically includes your certificate + intermediate certificates.

Error: Certificate Transparency Verification Failed

What it means: Certificate Transparency (CT) is a security mechanism requiring certificates to be logged publicly. Some CAs or configurations fail to meet CT requirements.

How to fix: This is usually the CA's issue. Contact your CA or switch to a CA that properly supports Certificate Transparency (Let's Encrypt, DigiCert, etc.).

Error: Mixed Content

What it means: Your HTTPS page is loading some resources (images, scripts, CSS) over HTTP, weakening security.

How to fix:

1. Open browser DevTools Console to see which resources are HTTP
2. Update all resource URLs to use HTTPS or protocol-relative URLs (//example.com/image.jpg)
3. Set CSP header: Content-Security-Policy: upgrade-insecure-requests

Error: SSL Protocol Error / Handshake Failure

What it means: Client and server can't agree on encryption protocols or cipher suites, often due to outdated TLS versions.

How to fix:

• Disable SSL 3.0, TLS 1.0, and TLS 1.1 (all deprecated and insecure)
• Enable TLS 1.2 and TLS 1.3
• Use modern cipher suites (prioritize ECDHE and AES-GCM)
• Test with SSL Labs: ssllabs.com/ssltest

Certificate Chain Validation

The certificate chain (also called chain of trust) is a hierarchical series of certificates that validate your SSL certificate. Understanding and properly configuring the chain is crucial for SSL functionality.

How Certificate Chains Work

There are three levels in a typical certificate chain:

1. Root Certificate: Trusted Certificate Authority (pre-installed in browsers/OS). Example: DigiCert Global Root CA
2. Intermediate Certificate(s): Issued by root CA, signs your certificate. CAs use intermediates so root private keys can stay offline for security
3. Leaf/End Entity Certificate: Your domain certificate, signed by the intermediate

When a browser validates your certificate, it follows the chain from your certificate → intermediate → root. If any link is missing or invalid, validation fails.

Checking the Certificate Chain

Use OpenSSL to inspect the complete chain:

# View full certificate chain
openssl s_client -connect example.com:443 -showcerts

# Check if chain is complete
openssl s_client -connect example.com:443 | openssl x509 -noout -text

A proper chain will show:

depth=2 O = Internet Security Research Group, CN = ISRG Root X1
depth=1 C = US, O = Let's Encrypt, CN = R3
depth=0 CN = example.com

Installing the Complete Chain

Most CAs provide multiple files when you obtain a certificate:

• certificate.crt - Your domain certificate
• ca-bundle.crt or chain.crt - Intermediate certificates
• fullchain.crt - Combined file (certificate + intermediates)

For Apache, use the fullchain file:

SSLCertificateFile /path/to/fullchain.crt
SSLCertificateKeyFile /path/to/private.key

For Nginx:

ssl_certificate /path/to/fullchain.pem;
ssl_certificate_key /path/to/private.key;

How to Check SSL Certificates

Regular SSL certificate checks should be part of your site maintenance routine. Here are multiple methods:

Browser Method (Quick Check)

1. Visit your site in a browser
2. Click the padlock icon in the address bar
3. Click "Certificate" or "Connection is secure"
4. View expiration date, issuer, and coverage

This works for quick manual checks but isn't suitable for monitoring or automation.

Command Line Method (OpenSSL)

For detailed information and automation:

# Check certificate expiration date
echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -dates

# Get all certificate details
echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -text

# Check specific port (non-standard HTTPS)
openssl s_client -connect example.com:8443

# Test TLS 1.3 support
openssl s_client -connect example.com:443 -tls1_3

Online Tools

HTTP Tiger SSL Checker: httptiger.com/ssl-checker.html - Comprehensive certificate analysis with monitoring

SSL Labs: ssllabs.com/ssltest - Deep security analysis including protocol support and cipher configuration

Why Not Verify: whynopadlock.com - Identifies mixed content issues preventing the padlock icon

Programmatic Monitoring

For DevOps and automation, implement certificate monitoring in your infrastructure:

# Python script to check certificate expiration
import ssl
import socket
from datetime import datetime

def check_certificate(hostname):
    context = ssl.create_default_context()
    with socket.create_connection((hostname, 443)) as sock:
        with context.wrap_socket(sock, server_hostname=hostname) as ssock:
            cert = ssock.getpeercert()
            expires = datetime.strptime(cert['notAfter'], '%b %d %H:%M:%S %Y %Z')
            days_remaining = (expires - datetime.now()).days
            print(f"{hostname}: {days_remaining} days until expiration")
            return days_remaining

# Check and alert if < 30 days
if check_certificate('example.com') < 30:
    send_alert("Certificate expiring soon!")

SSL Certificate Best Practices

1. Use Strong Encryption

Modern configuration recommendations:

# Nginx SSL configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_stapling on;
ssl_stapling_verify on;

2. Enable OCSP Stapling

OCSP (Online Certificate Status Protocol) Stapling improves performance and privacy by having your server query certificate revocation status instead of forcing each client to do so.

3. Use HTTP Strict Transport Security (HSTS)

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

HSTS forces browsers to always use HTTPS, preventing downgrade attacks. Learn more about implementing security headers in our HTTP Header Checker Guide.

4. Implement Certificate Pinning (Advanced)

For high-security applications, pin specific certificates or public keys to prevent man-in-the-middle attacks using fraudulent certificates.

5. Monitor and Alert

• Set up automated monitoring for all domains and subdomains
• Alert at 30, 14, 7, and 1 day before expiration
• Monitor certificate chain validity
• Track TLS protocol and cipher usage
• Alert on any certificate errors or warnings

6. Regular Security Audits

Run SSL Labs tests quarterly to catch configuration drift and ensure you're following current best practices as they evolve.

Conclusion

SSL/TLS certificates are fundamental to web security and user trust. While the technology can seem complex, modern tools like Let's Encrypt and automated monitoring systems make it easier than ever to maintain proper HTTPS configurations.

The key is implementing automated monitoring and renewal processes. Manual tracking inevitably leads to expired certificates and outages. By using tools like HTTP Tiger's SSL Checker, you can proactively monitor your certificates and receive alerts before problems occur. For comprehensive website monitoring including SSL checks, consider setting up uptime monitoring to catch certificate issues before they cause downtime.