SSL Checker Online
Free SSL Certificate Test & HTTPS Validator Tool
Use our free SSL checker online tool to verify SSL certificate details for any website. This website security certificate checker performs a live SSL handshake to inspect the CA (certificate authority), expiration date, TLS 1.2 vs TLS 1.3 support, SHA-256 fingerprint, SAN (subject alternative name) entries, intermediate certificates, key strength (2048-bit RSA or ECC), and overall security grade. Detect wildcard SSL, Let's Encrypt certificates, and expired certificate warnings instantly.
Quick Answer: What Is an SSL Certificate Test?
An SSL checker online connects to a website on port 443, performs a TLS handshake, and retrieves the X.509 certificate to display the issuing CA, expiration date, signature algorithm (SHA-256), key type (2048-bit RSA or ECC), SAN entries, certificate chain depth, and TLS version. Our HTTPS validator tool grades overall SSL health from A+ to F and detects Let's Encrypt and wildcard SSL certificates automatically.
Verify SSL Certificate for Any Domain
Enter a domain to run an SSL certificate test and check expiry, chain integrity, TLS version, and security grade.
Jessica Wright
Cybersecurity Threat Researcher
Jessica specializes in SSL/TLS security, IP blacklisting, malware prevention, and data privacy compliance (GDPR/CCPA). She helps webmasters, security analysts, and businesses audit their encryption infrastructure, troubleshoot certificate errors, and implement modern TLS configurations.
View All Articles by Jessica WrightWhat Is an SSL Checker Online and Why Should You Use It?
An SSL checker online connects to a website's server on port 443, performs a live TLS handshake, and retrieves the X.509 digital certificate to analyze its security properties. When you verify SSL certificate details through our tool, you get a complete picture of the domain's encryption health: the issuing CA (certificate authority), expiration date, SHA-256 fingerprint, key strength (2048-bit RSA or ECC), SAN (subject alternative name) entries, TLS version, intermediate certificates, and overall security grade.
According to Wikipedia's article on Transport Layer Security, TLS is the successor to the now-deprecated SSL protocol and provides communication security for virtually all HTTPS websites. Despite the protocol being technically called TLS, the industry still uses the term "SSL certificate" universally. Our SSL certificate test tool uses modern TLS to inspect certificates while supporting the terminology everyone searches for.
SSL certificates serve two critical functions: encryption (preventing eavesdropping on data between browser and server) and authentication (proving the server is legitimately owned by the claimed organization). Without a valid SSL certificate, browsers display the dreaded "connection not private" warning that drives 90% of visitors away.
Key Fact: Our SSL checker online tool detects Let's Encrypt certificates automatically, identifies wildcard SSL entries in SAN lists, verifies certificate chain completeness, and grades overall SSL health from A+ to F. It supports TLS 1.2 vs TLS 1.3 detection and shows OCSP status for revocation checking.
How the SSL Handshake Works: TLS 1.2 vs TLS 1.3
Every time your browser connects to an HTTPS website, a TLS handshake happens in milliseconds to establish an encrypted tunnel. Our SSL certificate test tool simulates this handshake to retrieve certificate data. Understanding the handshake helps you troubleshoot connection failures.
The TLS 1.2 Handshake (2 Round Trips)
In TLS 1.2, the handshake requires two full round trips between client and server. The client sends a "ClientHello" with supported cipher suites, the server responds with its certificate and chosen cipher, the client verifies the certificate chain back to a trusted Root CA, both sides exchange keys using RSA or Diffie-Hellman, and finally a symmetric session key is established for encrypting all subsequent data.
The TLS 1.3 Handshake (1 Round Trip)
TLS 1.3 reduces the handshake to a single round trip with 0-RTT (zero round-trip time) resumption for returning visitors. It removed insecure algorithms like RC4, DES, 3DES, and static RSA key exchange. TLS 1.3 only supports modern ciphers: AES-128-GCM, AES-256-GCM, and ChaCha20-Poly1305. Our HTTPS validator tool detects which TLS version the server negotiates.
# TLS 1.2 vs TLS 1.3 Comparison:
TLS 1.2:
Round trips: 2 (ClientHello → ServerHello → KeyExchange → Finished)
Cipher suites: 37+ (including legacy)
Key exchange: RSA, DHE, ECDHE
Vulnerabilities: POODLE, BEAST (if misconfigured)
TLS 1.3:
Round trips: 1 (+ 0-RTT resumption)
Cipher suites: 5 (all modern, secure)
Key exchange: ECDHE only (forward secrecy mandatory)
Removed: RC4, DES, 3DES, static RSA, MD5, SHA-1
# Check your server's TLS version with our SSL Checker above
If your server only supports TLS 1.0 or TLS 1.1, modern browsers will block the connection entirely — both protocols were deprecated in 2020. Check your server's TLS configuration with our tool and verify your headers with our HTTP Headers Analyzer for complete security posture assessment.
Certificate Types Explained: DV, OV, EV, Wildcard, and SAN
All SSL certificates provide the same level of encryption, but they differ in identity validation depth. Our SSL checker online reveals the certificate type through the issuer and subject fields.
Domain Validated (DV) Certificates
DV certificates verify only that you control the domain — typically through DNS or HTTP file validation. Let's Encrypt exclusively issues DV certificates, which is why they are free. DV certificates are perfectly secure for encryption but do not prove organizational identity. Our tool detects Let's Encrypt validation automatically.
Organization Validated (OV) Certificates
OV certificates require the CA to verify your organization's legal existence before issuance. The organization name appears in the certificate's subject field. OV provides stronger trust signals for business websites.
Extended Validation (EV) Certificates
EV certificates require the most rigorous identity verification including legal entity checks, physical address verification, and operational existence confirmation. While browsers no longer show the green address bar for EV, the certificate itself carries maximum trust.
Wildcard SSL and SAN Certificates
A wildcard SSL certificate uses an asterisk (*.example.com) to cover all subdomains at one level. Our tool detects wildcards by scanning SAN (subject alternative name) entries for asterisk patterns. SAN certificates can cover multiple completely different domain names on a single certificate — commonly used for organizations managing multiple brands. Generate strong credentials for your certificate management with our Password Generator.
| Type | Validation | Issuance Time | Cost | Best For |
|---|---|---|---|---|
| DV | Domain control only | Minutes | Free (Let's Encrypt) | Blogs, personal sites |
| OV | Organization verified | 1-3 days | $50-200/yr | Business websites |
| EV | Full legal verification | 3-7 days | $100-500/yr | Banks, e-commerce |
| Wildcard | DV or OV + subdomains | Minutes-days | Free-$300/yr | Multi-subdomain sites |
| SAN/UCC | Multiple domains | 1-3 days | $100-400/yr | Multi-brand orgs |
How to Fix "SSL Certificate Not Trusted" Error in 2026
The "connection not private" or "SSL certificate not trusted" error is the most common SSL problem webmasters face. Our SSL checker online helps you diagnose the exact cause. Here are the primary reasons and their fixes.
1. Missing Intermediate Certificates
The most frequent cause — especially on mobile devices. Your server must serve the complete certificate chain: leaf certificate → intermediate certificate(s) → Root CA. Desktop browsers sometimes cache intermediates from previous visits, but mobile browsers require the full chain every time. This is why your site shows as secure on desktop but insecure on mobile.
# Fix for Nginx (concatenate certs):
cat your_domain.crt intermediate.crt > combined.crt
ssl_certificate /etc/nginx/ssl/combined.crt;
ssl_certificate_key /etc/nginx/ssl/your_domain.key;
# Fix for Apache:
SSLCertificateFile /etc/ssl/your_domain.crt
SSLCertificateChainFile /etc/ssl/intermediate.crt
SSLCertificateKeyFile /etc/ssl/your_domain.key
2. Expired Certificate Warning
Let's Encrypt certificates expire every 90 days. Commercial certificates typically last 1 year. Our SSL expiry checker shows the exact days remaining with color-coded warnings. Set up auto-renewal via the ACME protocol (Certbot) to prevent expiry.
3. Mismatched Common Name or Missing SAN
If your certificate is issued for "www.example.com" but users visit "example.com" (or vice versa), the browser shows an error. Modern certificates should include both versions in the SAN field. Use our online SSL chain tester to check what domains your SAN covers.
4. Mixed Content Errors
Mixed content occurs when an HTTPS page loads resources (images, scripts, stylesheets) over plain HTTP. The browser blocks these insecure requests, breaking page functionality. Fix by updating all resource URLs to HTTPS. Check your redirects with our Redirect Checker to ensure HTTP-to-HTTPS redirection is configured.
Mobile-Specific Issue: If your SSL works on desktop but shows "insecure" on mobile, the problem is almost always missing intermediate certificates. Run our SSL certificate test and check the "Certificate Chain" section — if it shows only 1 certificate, your intermediates are missing.
Free Tool to Check SSL Certificate Expiration Date Online
Certificate expiration is the single most common cause of SSL outages. Our SSL expiry checker provides an instant countdown showing exactly how many days remain before your certificate needs renewal.
Let's Encrypt: 90-Day Expiration Cycle
Let's Encrypt certificates expire every 90 days by design — shorter lifetimes reduce the risk window if a private key is compromised. The trade-off is more frequent renewals, which should always be automated via Certbot or your hosting panel's built-in ACME client. Our tool is the best free SSL checker for Let's Encrypt certificates because it automatically detects the Let's Encrypt issuer and flags the 90-day cycle.
Commercial Certificates: 1-Year Maximum
Since September 2020, the CA/Browser Forum limited all public SSL certificates to a maximum 398-day (approximately 13-month) validity. This means even expensive EV certificates must be renewed annually. Our tool's color-coded expiry system makes monitoring effortless: green for 30+ days remaining, amber for under 30 days, and red for expired.
Keep your server secure by checking both your SSL configuration and open ports. Use our Port Scanner to verify that only port 443 (HTTPS) is open and port 80 (HTTP) properly redirects to HTTPS.
Certificate Chain, OCSP Stapling, and SSL Security Deep Dive
A valid certificate alone is not enough for full SSL security. The complete certificate chain, revocation checking via OCSP, and modern cipher selection all contribute to a secure implementation.
The Certificate Chain of Trust
Every SSL certificate forms a chain: your website's leaf certificate was signed by an intermediate CA, which was signed by a Root CA. Browsers come pre-loaded with trusted Root CAs (about 150 in most browsers). Our online SSL chain tester shows the full chain depth and identifies each certificate in the chain. If the chain is incomplete (missing intermediates), mobile browsers will reject the connection.
OCSP Stapling: Real-Time Revocation
OCSP (Online Certificate Status Protocol) stapling allows the server to include a time-stamped OCSP response during the TLS handshake, proving the certificate has not been revoked. Without OCSP stapling, the client must contact the CA's OCSP responder directly — adding latency and creating a privacy concern. Our tool detects whether your certificate has an OCSP URI configured.
SHA-256 and Key Strength
Modern certificates must use SHA-256 (or stronger) signature algorithms. SHA-1 certificates have been untrusted since 2017. For key strength, 2048-bit RSA is the minimum standard, while ECC (Elliptic Curve Cryptography) keys provide equivalent security at smaller key sizes (256-bit ECC ≈ 3072-bit RSA). Our tool shows both the signature algorithm and key specifications. Learn more about cryptographic concepts in our Hash Generator which demonstrates SHA-256 hashing.
Security Tip: Enable OCSP stapling on your server for faster handshakes and improved privacy. For Nginx add ssl_stapling on; and ssl_stapling_verify on; to your server block. For Apache add SSLUseStapling On to your virtual host configuration.
Check If Website Supports TLS 1.3 and Advanced Ciphers
Our HTTPS validator tool detects the TLS version negotiated during the handshake and shows the specific cipher suite used. Modern websites should support TLS 1.3 for maximum performance and security.
Why TLS 1.3 Matters
TLS 1.3 is significantly faster (one fewer round trip), more secure (removed all legacy insecure ciphers), and supports mandatory forward secrecy — meaning if your server's private key is compromised in the future, past sessions remain encrypted. All major browsers, CDNs (Cloudflare, AWS CloudFront), and web servers (Nginx 1.13+, Apache 2.4.36+) support TLS 1.3.
Vulnerability Context: Heartbleed and POODLE
Heartbleed (CVE-2014-0160) was a catastrophic OpenSSL vulnerability that allowed attackers to read server memory including private keys. POODLE attacked the SSL 3.0 protocol allowing encrypted data decryption. Both vulnerabilities are mitigated by using TLS 1.2+ and keeping OpenSSL updated. Our SSL checker online verifies your server negotiates modern protocols. For additional security layer analysis, check your browser's fingerprint with our JA3 Fingerprint Tool which analyzes TLS client fingerprinting.
How to Find Which CA Issued an SSL Certificate
Our SSL checker online shows the Certificate Authority (CA) in the "Issuer Organization" and "Issuer CN" fields. The CA is the trusted third party that verified the domain owner's identity and digitally signed the certificate.
Major Certificate Authorities in 2026
- Let's Encrypt (ISRG): The world's largest CA by volume, issuing free DV certificates. Our tool detects Let's Encrypt issuer identifiers (R3, R10, R11, E5, E6) automatically.
- DigiCert: Premium CA used by major enterprises, banks, and government websites. Offers DV, OV, and EV certificates.
- Sectigo (formerly Comodo): One of the largest commercial CAs, popular for OV and wildcard certificates.
- GlobalSign: Enterprise-focused CA with strong presence in European and Asian markets.
- Google Trust Services: Google's own CA, increasingly used for Google properties and Cloud customers.
The CA you see in WHOIS results matters for trust assessments. A website using a respected CA with a proper chain signals legitimacy, while self-signed certificates or obscure CAs can indicate phishing sites. Cross-reference SSL data with our WHOIS Lookup for complete domain intelligence.
Online Tool to Verify SSL Installation on Nginx and Apache
After installing an SSL certificate on your web server, use our SSL checker online to verify the installation is correct. Here are the common configuration patterns and how to verify them.
Nginx SSL Configuration Verification
# Nginx SSL configuration block:
server {
listen 443 ssl http2;
server_name example.com www.example.com;
ssl_certificate /etc/nginx/ssl/combined.crt;
ssl_certificate_key /etc/nginx/ssl/private.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
}
Apache SSL Configuration Verification
# Apache SSL VirtualHost:
<VirtualHost *:443>
ServerName example.com
SSLEngine on
SSLCertificateFile /etc/ssl/certs/example.crt
SSLCertificateKeyFile /etc/ssl/private/example.key
SSLCertificateChainFile /etc/ssl/certs/intermediate.crt
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLUseStapling On
</VirtualHost>
After saving your configuration and restarting the server, run our SSL certificate test to confirm: the correct domain appears in Common Name and SAN, the chain shows 2-3 certificates (leaf + intermediate + root), TLS 1.2 or 1.3 is negotiated, and the grade is A or A+. Check your server's reachability with our Ping Test Tool and verify DNS is pointing correctly with our DNS Lookup Tool.
Complete SSL Security Audit Checklist
Use this comprehensive checklist to audit your website's SSL/TLS implementation with our website security certificate checker.
- Step 1: Run an SSL certificate test above and verify the grade is A or A+.
- Step 2: Confirm the CA is a trusted authority (Let's Encrypt, DigiCert, Sectigo, GlobalSign).
- Step 3: Check the expiration date — renew if under 30 days remaining. Set up auto-renewal.
- Step 4: Verify SAN entries include both yourdomain.com and www.yourdomain.com.
- Step 5: Confirm the certificate chain is complete (2-3 certificates including intermediates).
- Step 6: Ensure the server negotiates TLS 1.2 or TLS 1.3 — disable TLS 1.0 and 1.1.
- Step 7: Verify the signature uses SHA-256 or stronger (not SHA-1 or MD5).
- Step 8: Confirm key strength: 2048-bit RSA minimum or 256-bit ECC.
- Step 9: Check HTTP-to-HTTPS redirects are configured (301 permanent).
- Step 10: Verify server security headers with our Headers Analyzer (HSTS, CSP, X-Frame-Options).
- Step 11: Check your IP against IP Blacklists for reputation issues.
- Step 12: Test email SSL with our Email Verification Tool for SMTP TLS support.
Best Practice: Run a full SSL audit monthly, after any server migration, after certificate renewal, and after web server software updates. SSL misconfigurations are the second most common cause of website security warnings after expired certificates.
Frequently Asked Questions About SSL Certificate Testing
What is an SSL checker and how does it work?
An SSL checker online performs a TLS handshake on port 443 to retrieve a website's X.509 certificate. It displays the issuing CA, expiry date, SHA-256 fingerprint, key type (RSA or ECC), SAN entries, certificate chain depth, and TLS version. Our tool grades SSL health from A+ to F.
How to check SSL certificate expiration date online for free?
Enter any domain in our free SSL expiry checker above. It shows valid-from and valid-to dates with a color-coded countdown. Under 30 days shows amber, expired shows red. Let's Encrypt certificates expire every 90 days — automate renewal with Certbot.
How to fix "SSL certificate not trusted" error?
Most common cause: missing intermediate certificates. For Nginx, concatenate your leaf and intermediate certs into one file. For Apache, use SSLCertificateChainFile. Also check for expired certificates, mismatched CN/SAN, and self-signed certs. Our online SSL chain tester identifies missing chain links.
What is the difference between TLS 1.2 and TLS 1.3?
TLS 1.3 is faster (1 round trip vs 2), more secure (removed legacy ciphers like RC4 and DES), and mandates forward secrecy. It supports 0-RTT resumption for returning visitors. Our tool detects which version your server negotiates.
Why is my SSL certificate showing as insecure on mobile?
Mobile browsers require the complete certificate chain every time — unlike desktop browsers which may cache intermediate certificates from previous visits. Run our SSL certificate test and check the chain section. If it shows only 1 certificate, your intermediates are missing from the server configuration.
How to find which CA issued an SSL certificate?
Our SSL checker online shows the Certificate Authority in the "Issuer Organization" and "Issuer CN" fields — such as Let's Encrypt, DigiCert, Sectigo, or GlobalSign. The full certificate chain shows the hierarchy from leaf cert through intermediate to Root CA.
What is a wildcard SSL certificate?
A wildcard SSL certificate uses *.example.com in the SAN to cover all subdomains at one level. Our tool detects wildcards automatically. Wildcards do NOT cover sub-subdomains — *.example.com covers blog.example.com but not dev.blog.example.com.
How to verify SSL installation on Nginx and Apache?
Run our SSL certificate test after installation. For Nginx, ensure ssl_certificate contains both leaf and intermediate certs concatenated. For Apache, set SSLCertificateChainFile for intermediates. Verify the chain shows 2-3 certificates and the grade is A or A+.
Related Security & Network Tools
Complete your security audit with our free toolkit.
Verify Any Website's SSL Security Instantly
Free SSL Checker — No Signup Required
Our SSL checker online tool performs a live TLS handshake to verify SSL certificate details, check expiration dates, test TLS 1.3 support, validate certificate chains, and grade overall HTTPS security from A+ to F. Works with Let's Encrypt, DigiCert, Sectigo, and every CA.