Table of contents
You probably know that the padlock icon in your browser address bar means a site is secure. But what does that padlock actually tell you? What is inside an SSL certificate, how do you check it properly, and how do you know if something is wrong?
This guide explains SSL certificates, what the certificate details mean, how to check any site's certificate, and what problems to look out for.
What an SSL certificate does
An SSL/TLS certificate does two things:
Encryption: It enables HTTPS, encrypting data transmitted between the browser and the server. Without encryption, any network observer — on public Wi-Fi, at an ISP, on a corporate network — can read everything in transit: form submissions, login credentials, browsing activity.
Authentication: The certificate is issued by a trusted Certificate Authority (CA) that has verified the certificate owner's control over the domain. When your browser sees a valid certificate for example.com, it knows the server you are talking to is actually controlled by whoever controls example.com — not an attacker intercepting the connection.
Without SSL, both guarantees fail: traffic is readable and there is no cryptographic proof the server is legitimate.
How to check an SSL certificate
Method 1: Browser padlock
Click the padlock icon in your address bar. In Chrome, click "Connection is secure," then "Certificate is valid." In Firefox, click the lock, then "More information," then "View Certificate." This shows the basic certificate information: who it was issued to, who issued it, and when it expires.
Method 2: Online SSL checker
For detailed information — full certificate chain, cipher suites, protocol versions, expiry warnings — use the FixTools SSL Certificate Checker:
- Enter the domain name (e.g.,
example.com) - The tool connects to the server and retrieves the certificate
- Review the results: validity status, issuer, expiry date, covered domains, and protocol version
This gives you more information than the browser padlock and works for checking third-party sites as well as your own.
What the certificate details mean
Common Name (CN) / Subject Alternative Names (SANs)
The Common Name identifies the domain the certificate was issued for (e.g., www.example.com). Modern certificates use Subject Alternative Names (SANs) to list all domains and subdomains the certificate covers.
A certificate for example.com might cover:
example.comwww.example.comapi.example.com
If you access a site on a domain not listed in the CN or SANs, the browser shows a certificate error — even if the certificate itself is valid.
Validity period
Certificates have a "Not Before" and "Not After" date. The certificate is only valid within this window. Before the "Not Before" date, the certificate is not yet valid. After "Not After," it has expired and browsers will show warnings.
Current maximum validity is 398 days. Let's Encrypt certificates expire after 90 days.
What to watch: Check your own site's expiry date regularly. A lapsed certificate takes your site offline from most visitors' perspective as effectively as downtime.
Issuer / Certificate Authority
The issuer is the organization that signed and vouched for the certificate. Common CAs include:
- Let's Encrypt — free, automated, 90-day certificates widely used for web hosting
- DigiCert — commercial CA used by many enterprise sites
- Sectigo — commercial CA, formerly Comodo
- Google Trust Services — used for Google's own properties
Browsers maintain a built-in list of trusted CAs. Certificates signed by CAs on this list are trusted automatically. Self-signed certificates (signed by the site owner's own CA) are not in the list and produce browser warnings.
Certificate type (DV, OV, EV)
| Type | Stands for | Verification | Visual indicator |
|---|---|---|---|
| DV | Domain Validated | CA checks domain control only | Padlock only |
| OV | Organization Validated | CA verifies legal organization identity | Padlock only |
| EV | Extended Validated | Extensive identity verification | Padlock (previously showed green bar + company name) |
Most sites use DV certificates — they are free (via Let's Encrypt) or cheap, easy to obtain, and provide full encryption. OV and EV certificates involve more paperwork and cost but do not provide meaningfully stronger encryption. Browsers removed the EV green bar in 2019 because research showed it did not affect user security decisions.
Protocol version
The TLS protocol version shows what version of the encryption protocol is being used:
- TLS 1.3 — current standard, best security and performance
- TLS 1.2 — still widely supported and secure
- TLS 1.1 — deprecated, no longer supported by modern browsers
- TLS 1.0 — deprecated, browsers refuse connections since 2020
- SSL 2.0/3.0 — obsolete and broken, should never appear
If you see TLS 1.0, TLS 1.1, or any SSL version on your own site, update your server's TLS configuration immediately.
Certificate chain
Certificates do not exist in isolation — they form a chain of trust:
- Root certificate — self-signed by the CA, pre-installed in your OS and browser
- Intermediate certificate — signed by the root, issued to the CA for day-to-day use
- End-entity certificate — your site's certificate, signed by the intermediate
For a browser to trust your certificate, the full chain must be present and valid. A broken chain — where the intermediate certificate is missing — causes browser warnings even if your end-entity certificate is valid. This is the most common SSL configuration mistake.
Common SSL certificate problems
Expired certificate
Symptom: Browser shows "Your connection is not private" with error code NET::ERR_CERT_DATE_INVALID.
Fix: Renew the certificate. If you use Let's Encrypt with Certbot, run certbot renew. If you bought a commercial certificate, purchase a new one and install it.
Prevention: Set a calendar reminder 30 days before expiry. Use monitoring tools to alert you automatically. If you use Let's Encrypt, ensure the automatic renewal cron job is working — test with certbot renew --dry-run.
Domain mismatch
Symptom: Browser shows "Your connection is not private" with error code NET::ERR_CERT_COMMON_NAME_INVALID.
Cause: The domain in the URL does not match the domain in the certificate. Common causes:
- Accessing
www.example.comwhen the certificate only coversexample.com - Accessing
api.example.comwhen the certificate does not include that subdomain - Using an IP address when the certificate uses a hostname
Fix: Either update the certificate to include the missing domain, or redirect traffic to a domain the certificate covers.
Broken certificate chain
Symptom: SSL checkers flag "Incomplete chain" or "Untrusted certificate." Some browsers and devices work, others do not.
Cause: The intermediate certificate is not being served with your site's certificate.
Fix: Download the full certificate chain from your CA (usually a "bundle" or "chain" file) and configure your server to include it. In nginx, this means combining your certificate and the intermediate chain into one file.
Mixed content warnings
Symptom: The padlock shows but with a warning (yellow triangle). The browser console shows "Mixed Content" errors.
Cause: Your HTTPS page is loading some resources (images, scripts, stylesheets) over HTTP.
Fix: Update all resource URLs to use HTTPS. Check for hardcoded http:// URLs in your templates, CSS, and JavaScript. Most CDNs and third-party services support HTTPS — use protocol-relative URLs (//cdn.example.com/script.js) if you need compatibility with both.
Self-signed certificate
Symptom: Browser warning saying the certificate is not from a trusted authority.
Cause: The certificate was not issued by a trusted CA — it was created by the server operator directly.
Self-signed certificates are legitimate for: development environments, internal tools on private networks, testing.
Self-signed certificates are not appropriate for: any site that end users access over the public internet.
Fix: Get a certificate from a trusted CA. Let's Encrypt is free and automated.
Checking SSL certificates at scale
If you manage multiple sites or need to monitor certificate expiry across a portfolio:
- The FixTools Uptime Monitor checks site availability regularly
- The DNS Lookup tool helps investigate DNS configuration that may be related to certificate issues
- For bulk domain checking, command-line tools like
openssl s_clientlet you script certificate checks:
echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -dates
This prints the notBefore and notAfter dates for the certificate on example.com.
Check your site's SSL certificate now
Use the FixTools SSL Certificate Checker to inspect any domain's certificate: validity status, expiry date, issuer, covered domains, and TLS protocol version. No sign-up required — enter a domain and get the results instantly.
Try it free — right in your browser
No sign-up, no uploads. Your data stays private on your device.
Frequently asked questions
6 questions answered
QHow do I know if a website has a valid SSL certificate?
The easiest visual indicator is the padlock icon in your browser address bar next to the URL. A closed padlock means the connection is encrypted with a valid SSL certificate. If you see "Not Secure" or an open padlock, the site either uses HTTP (no certificate) or has an SSL error. To get full certificate details — who issued it, when it expires, what domains it covers — click the padlock and choose "Certificate" or use an SSL checker tool that shows the complete certificate information.
QHow long do SSL certificates last?
As of 2020, SSL/TLS certificates issued by commercial Certificate Authorities are valid for a maximum of 398 days (about 13 months). Before 2020, certificates could be valid for up to 2 years. Let us Encrypt certificates expire after 90 days and are typically renewed automatically every 60 days. Industry proposals are pushing for even shorter lifespans — 90 days for all certificates — to reduce the risk from compromised or mis-issued certificates remaining valid for long periods.
QWhat happens when an SSL certificate expires?
Browsers display a full-page warning that the connection is not secure and the certificate has expired. Most users do not proceed past these warnings, which effectively takes your site offline from a practical standpoint. Search engines may also demote or flag sites with SSL errors. The certificate does not need to be expired for problems to occur — certificates with invalid chains, wrong domain names, or that have been revoked cause the same browser warnings. Monitor expiry dates and renew at least 30 days before expiration.
QWhat is the difference between SSL and TLS?
SSL (Secure Sockets Layer) is the original protocol, but it has not been in use since SSL 3.0 was deprecated in 2015 due to security vulnerabilities. TLS (Transport Layer Security) is the successor protocol, currently at TLS 1.3. Despite this, the term "SSL" persists colloquially because it was the name everyone learned. When someone says SSL certificate, they almost always mean a TLS certificate. When checking a site, look for TLS 1.2 or TLS 1.3 — any site still using SSL 2.0, SSL 3.0, or TLS 1.0/1.1 has a serious security configuration problem.
QWhat is a wildcard SSL certificate?
A wildcard certificate covers a domain and all of its immediate subdomains. The certificate common name looks like *.example.com — the asterisk is a wildcard that matches any single label. So a wildcard for *.example.com covers www.example.com, blog.example.com, and api.example.com, but not sub.blog.example.com (which would need *.blog.example.com). Wildcard certificates are useful for organizations with many subdomains, since one certificate covers all of them instead of requiring separate certificates for each subdomain.
QWhat is certificate transparency and why does it matter?
Certificate Transparency (CT) is a public log of every SSL/TLS certificate issued by Certificate Authorities. Any certificate that has not been logged in the CT framework is rejected by Chrome, Firefox, and Safari. CT logs let security researchers and site owners detect unauthorized certificates — for example, if an attacker somehow obtained a certificate for your domain, you would be able to find it in the public CT logs. Free tools like crt.sh let you search CT logs for any domain and see every certificate that has been issued for it.
O. Kimani
Software Developer & Founder, FixTools
Building FixTools — a single destination for free, browser-based productivity tools. Every tool runs client-side: your files never leave your device.
About the authorRelated articles
How to Check if a Website is Down (For You or Everyone)
Is the site down, or is it just you? Learn how to check website uptime instantly, what causes sites to go down, and how to monitor your own site for free.
Read articleUtilitiesWhat Is My IP Address and What Can Websites See About Me?
Discover what your IP address reveals to websites — location, ISP, device type — and what they legally can and cannot see about you. Check yours instantly.
Read article