How to Check Your SSL Certificate
Learn how to check SSL certificate validity, expiration date, hostname match, issuer trust, certificate chain and HTTPS configuration.
Introduction
Checking an SSL certificate helps confirm whether a website can load securely over HTTPS. A certificate may be installed, but still cause browser warnings if it is expired, issued for the wrong hostname, missing intermediate certificates or not trusted by browsers.
This guide explains what to check in an SSL certificate, how to interpret common results and what to fix when HTTPS does not work correctly.
Quick answer
To check an SSL certificate, verify the expiration date, hostname match, issuer, trust chain, SAN names and HTTPS response. A valid certificate should cover the exact domain visitors use, be issued by a trusted certificate authority and include a complete certificate chain.
What to check
When checking an SSL certificate, review more than just whether HTTPS loads.
Important checks include:
- Certificate expiration date
- Domain and hostname match
- WWW and non-WWW coverage
- Subdomain coverage
- Issuer / certificate authority
- Certificate chain
- SAN names
- TLS protocol support
- HTTP-to-HTTPS redirect
- Mixed content on the page
A website can have a valid certificate but still have HTTPS problems because of redirects, mixed content or server configuration.
Certificate expiration
Every SSL/TLS certificate has a validity period. If the certificate expires, browsers may show a security warning and users may not be able to access the site safely.
Check
Review certificate dates and renewal status.
Valid from
Confirm the certificate start date is correct.
Valid until
Check the expiry date and days remaining.
Auto-renewal
Confirm whether auto-renewal is enabled.
Active deployment
Confirm the renewed certificate is actually installed.
Renewal alone is not enough if the web server or CDN is still serving the old certificate.
Hostname match
The certificate must cover the exact hostname visitors use.
If visitors open:
https://example.com
The certificate must include:
example.com
If visitors open:
https://www.example.com
The certificate must include:
www.example.com
If visitors open:
https://app.example.com
The certificate must include:
app.example.com
A certificate for example.com does not always cover www.example.com unless both names are included.
SAN names
SAN means Subject Alternative Name. Modern certificates list covered hostnames in the SAN field.
example.com
www.example.com
app.example.com
When checking a certificate, verify the SAN list rather than relying only on the common name.
Chain and issuer
Browsers trust certificates through a chain of trust. A typical chain includes:
- Website certificate
- Intermediate certificate
- Trusted root certificate
If intermediate certificates are missing, some browsers, devices or tools may not trust the site.
Check
Confirm issuer trust and chain completeness.
Trusted issuer
Certificate is issued by a trusted certificate authority.
Intermediates installed
Intermediate certificates are installed on the server.
Complete chain
The full chain is present.
No self-signed cert
No self-signed certificate is used on a public website.
Why this matters
SSL certificate checks matter because a small certificate issue can make a website look unsafe. Expired certificates, hostname mismatches and incomplete chains can trigger browser warnings, break APIs, affect checkout pages and reduce user trust.
SSL checks are also important after hosting migrations, CDN changes, domain changes and certificate renewals.
How to check SSL
Use SSL Checker to inspect the certificate served by your domain.
When checking SSL, review
These eight checks help confirm the certificate is correct.
Certificate status
Confirm the certificate is valid and trusted.
Expiration date
Check how many days remain before expiry.
Hostname match
Confirm the certificate covers the exact domain, www version and subdomains.
SAN list
Review all hostnames included in the certificate.
Issuer
Check which certificate authority issued the certificate.
Certificate chain
Confirm intermediate certificates are installed correctly.
HTTPS behavior
Check whether HTTP redirects to HTTPS correctly.
Page resources
Check whether the HTTPS page has mixed content.
Check SSL certificate now
Use SSL Checker to review certificate validity, hostname match, issuer, chain and expiry.
Common problems
Certificate expired
HighThe certificate validity period has ended, so browsers may show warnings.
Next step: Renew the certificate and make sure the active server is serving the renewed version.
Certificate not valid yet
HighThe certificate start date is in the future or the system clock is wrong.
Next step: Install a valid certificate and check server time.
Hostname mismatch
HighThe certificate does not cover the hostname visitors are using.
Next step: Issue or install a certificate that includes the correct domain, www version or subdomain.
Missing www or root domain
MediumThe certificate covers example.com but not www.example.com, or the opposite.
Next step: Include both hostnames or redirect consistently to the covered hostname.
Incomplete certificate chain
MediumIntermediate certificates are missing.
Next step: Install the full chain from the certificate authority or hosting panel.
Self-signed certificate
HighThe certificate is not trusted by public browsers.
Next step: Use a certificate from a trusted certificate authority.
Wrong certificate after migration
HighThe server or CDN is showing a certificate for another domain or old environment.
Next step: Install the correct certificate on the active hosting, proxy or CDN.
HTTPS works but HTTP does not redirect
MediumUsers can still access the insecure HTTP version.
Next step: Add a clean HTTP-to-HTTPS redirect.
Mixed content warning
MediumThe page loads some resources over HTTP.
Next step: Update image, script, stylesheet and iframe URLs to HTTPS.
How to fix SSL
-
Step 1: Identify the active server or CDN
Confirm whether the certificate is served by hosting, a reverse proxy, CDN, load balancer or control panel.
-
Step 2: Check hostname coverage
List every hostname that should work over HTTPS, including root domain, www and subdomains.
-
Step 3: Renew or reissue the certificate
Use your hosting panel, Let’s Encrypt, CDN or certificate authority to issue a certificate covering the correct names.
-
Step 4: Install the full chain
Make sure the web server includes intermediate certificates.
-
Step 5: Reload the web service
Apply the new certificate by reloading Nginx, Apache, LiteSpeed, CDN or hosting service.
-
Step 6: Fix redirects
Redirect HTTP to HTTPS and avoid redirect loops.
-
Step 7: Fix mixed content
Update insecure HTTP assets to HTTPS.
-
Step 8: Re-check externally
Use SSL Checker from outside the server to confirm visitors see the correct certificate.
SSL check examples
openssl s_client -connect example.com:443 -servername example.com
echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -dates
echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -subject -issuer
curl -I https://example.com
curl -I http://example.com
These examples are illustrative. Replace example.com with your real domain or subdomain.
Browser checks
You can also inspect a certificate directly in the browser.
- Lock or security icon
- Certificate details
- Issued to / domain
- Issuer
- Expiration date
- Certificate chain
- Browser warning message
Browser warnings are useful, but external SSL tools often show more detail about chain, hostname and server configuration.
After renewal checks
After renewing a certificate, verify that the new certificate is actually active.
- Browser shows the new expiry date
- SSL Checker shows the new certificate
- CDN or proxy is not serving the old certificate
- Web server was reloaded
- Intermediate chain is complete
- HTTPS redirect still works
- Auto-renewal is scheduled
Many SSL incidents happen because a certificate was renewed but not deployed to the active server.
Frequently asked questions
How do I check when my SSL certificate expires?
Use SSL Checker, browser certificate details or OpenSSL to view the certificate’s valid until date.
Why does my site show a certificate warning?
Common causes include expired certificate, hostname mismatch, incomplete chain, untrusted issuer or wrong certificate installed.
Does example.com SSL cover www.example.com?
Only if www.example.com is included in the certificate SAN list or covered by a wildcard certificate.
What is a certificate chain?
It is the trust path from your website certificate through intermediate certificates to a trusted root certificate.
Why does SSL look fine on my server but fail online?
You may be checking the wrong server, CDN, proxy or local cache. Always test the public hostname externally.
Should SSL renew automatically?
Yes, when possible. Auto-renewal reduces expiry risk, but you should still monitor renewals.
Can SSL be valid while the page still says insecure?
Yes. Mixed content, insecure forms or bad redirects can cause warnings even with a valid certificate.
Related tools
Use these free tools to verify your configuration after applying changes.
Related guides
Browse all SSL & HTTPS guides →Need help applying this fix?
Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.
Was this guide helpful?
Your feedback helps us improve our guides for everyone.
Thanks for your feedback!