SSL Certificate Checker: How to Verify HTTPS in 2026
An SSL certificate checker is the fastest way to confirm that your site's HTTPS is working — but it's also one of the most misunderstood tools in web security. A passing certificate check doesn't mean your TLS is strong, your traffic is safe, or your visitors are protected. It just means a few specific things are correct.
This guide explains what an SSL certificate checker actually verifies, the most common errors it surfaces, the free tools worth using, and the deeper checks that go beyond the certificate itself. By the end, you'll be able to diagnose any HTTPS issue in minutes and understand why a green padlock isn't the whole security story.
If you've ever seen "Your connection is not private" and panicked, or you just want to make sure your site won't surprise users with a certificate warning, start here.
Want to check your site right now? Run a free ZeriFlow scan in 60 seconds →
What an SSL Certificate Checker Actually Verifies
An SSL certificate checker (more accurately, a TLS certificate checker — SSL has been deprecated for years, but the name stuck) inspects the digital certificate your server presents to browsers. The core checks include:
- Validity period — Is the certificate within its
notBeforeandnotAfterdates? - Domain match — Does the certificate's Common Name or Subject Alternative Name list the domain you're visiting?
- Issuer trust — Is it signed by a Certificate Authority your browser trusts?
- Chain completeness — Are all intermediate certificates served by the host?
- Key strength — Is the public key 2048-bit RSA minimum or modern ECDSA?
- Signature algorithm — Is it SHA-256 or stronger (no MD5, SHA-1)?
- Revocation status — Has it been revoked via OCSP or CRL?
A good SSL checker returns these as a structured report. A great one tells you what to do when something fails.
Common SSL Certificate Errors and What They Mean
When a certificate check fails, the error usually falls into one of these categories:
### NET::ERR_CERT_DATE_INVALID Your certificate is expired or not yet valid. Renew immediately. Set up auto-renewal (Let's Encrypt + certbot, or your hosting provider's automation) to prevent recurrence.
### NET::ERR_CERT_COMMON_NAME_INVALID
The certificate is for a different domain than the one being visited. Common when you forget to add www.example.com and example.com both, or when you migrate domains.
### NET::ERR_CERT_AUTHORITY_INVALID The certificate is signed by a CA the browser doesn't trust, or it's self-signed. For production, get a free Let's Encrypt certificate or use your CDN's SSL.
### NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM Your certificate uses SHA-1 or MD5. These have been deprecated for years. Reissue with SHA-256.
### Mixed content warnings
The certificate is fine, but your page loads HTTP resources (images, scripts) over the HTTPS page. Browsers either block these or warn users. Fix by changing all internal references to https:// or protocol-relative URLs.
### Incomplete certificate chain
Your server serves the leaf certificate but forgets the intermediate. Browsers compensate, but mobile apps and older clients won't. Test with openssl s_client -connect yourdomain.com:443 -showcerts.
How to Check an SSL Certificate Manually
You don't always need a web tool. From any terminal:
# Check expiry and basic info
echo | openssl s_client -servername yourdomain.com -connect yourdomain.com:443 2>/dev/null | openssl x509 -noout -dates -subject -issuer
# Full certificate dump
echo | openssl s_client -servername yourdomain.com -connect yourdomain.com:443 -showcerts 2>/dev/null
# Check supported TLS versions
nmap --script ssl-enum-ciphers -p 443 yourdomain.comThese three commands cover 90% of SSL debugging. They're also scriptable, so you can build them into a deploy hook or monitoring cron.
For a faster check from your browser, click the padlock icon, then "Connection is secure" → "Certificate is valid" in Chrome, or the equivalent in your browser.
The Best Free SSL Certificate Checkers
Different tools serve different purposes. Here's how the main free options stack up:
### Browser inspection Fastest. Click the padlock. Useful for spot checks. No depth on TLS configuration.
### SSL Labs (Qualys SSL Server Test) The deepest free TLS audit available. Tests every cipher, every protocol, every handshake quirk. Returns a letter grade. Slow (2-5 minutes), but worth it for periodic deep audits.
### ZeriFlow Includes a full SSL/TLS check as part of an 80+ point security scan. Fast (60 seconds), grades certificate health alongside headers, cookies, and vulnerabilities. Best when you want SSL plus everything else in one report.
### crt.sh A certificate transparency search engine. Type your domain and see every certificate ever issued for it. Useful for spotting unauthorized certificates issued by attackers or misconfigured services.
### testssl.sh A command-line tool that performs SSL Labs-quality testing locally. Free, scriptable, no API limits. The pro choice for automation.
For most people, the right combo is: browser inspection for daily checks, SSL Labs once a quarter, and a comprehensive scanner like ZeriFlow weekly to catch drift across the full security surface.
Why Just Checking the Certificate Isn't Enough
A valid certificate is necessary but not sufficient. Real-world TLS security depends on the configuration around it. Things an SSL certificate checker often misses:
### Weak protocol versions If your server still accepts TLS 1.0 or 1.1, attackers can downgrade connections. Modern servers should only accept TLS 1.2 and 1.3.
### Weak cipher suites RC4, 3DES, export-grade ciphers, and CBC-mode without modern protections are all exploitable. Your cipher list should be lean and modern.
### Missing HSTS Without HSTS (Strict-Transport-Security), the first visit to your site can be hijacked into HTTP, even if HTTPS is configured. HSTS tells browsers to always use HTTPS for your domain.
### Missing CAA records Certificate Authority Authorization (CAA) DNS records limit which CAs can issue certificates for your domain. Without it, any CA can issue a certificate, expanding your attack surface.
### Mixed content A perfect certificate doesn't help if your page loads scripts over plain HTTP. Browsers block this, but the warnings still hurt user trust.
### Cookie security
Cookies sent over HTTPS without the Secure flag can leak over HTTP if a user is tricked into a downgrade. Your TLS doesn't protect cookies that aren't marked correctly.
A comprehensive scanner checks all of these. ZeriFlow's free scan looks at your TLS configuration, certificate, headers, cookies, and DNS together — because in practice they all break or pass together.
For deeper guidance, see our SSL/TLS configuration guide and HTTP security headers guide.
Setting Up Certificate Monitoring
The worst SSL incidents happen when a certificate expires unnoticed. Set up monitoring once and forget it:
- Auto-renewal — Let's Encrypt + certbot or acme.sh handles 90-day renewals automatically.
- Expiry alerts — Most monitoring tools (Uptime Robot, Better Uptime, ZeriFlow) send 30/14/7-day expiry warnings.
- CT log monitoring — Subscribe to Certificate Transparency log alerts for your domain via crt.sh or a service like Cert Spotter. You'll know immediately if anyone issues a cert for your domain.
- Automated weekly scans — Catch certificate drift, configuration changes, and weak ciphers introduced by infrastructure updates.
FAQ
### Q: How do I check if my SSL certificate is valid?
Open your site in Chrome, click the padlock, and select "Certificate is valid". For a deeper check, run openssl s_client -connect yourdomain.com:443 from your terminal, or use a free tool like SSL Labs or ZeriFlow.
### Q: What's the difference between SSL and TLS? SSL is the legacy name; TLS is the current protocol. SSL versions (1.0-3.0) are all deprecated and insecure. TLS 1.2 and 1.3 are the modern standards. The term "SSL certificate" is still used colloquially, but the underlying technology is TLS.
### Q: Why does my certificate work in Chrome but fail in mobile apps? Almost always an incomplete certificate chain. Browsers fetch missing intermediates automatically; mobile apps usually don't. Reconfigure your server to serve the full chain (leaf + intermediates).
### Q: How long does an SSL certificate last? Public CA certificates are now capped at 398 days. Let's Encrypt certificates are 90 days, designed for automatic renewal. Internal CA certificates can last longer but should be rotated regularly anyway.
### Q: Is a free SSL certificate as secure as a paid one? Cryptographically, yes — a Let's Encrypt certificate provides identical encryption to a $500 paid certificate. Paid certificates differ in validation level (DV vs OV vs EV), warranty, and support, but not in transport security. For most sites, free is the right choice.
Conclusion
An SSL certificate checker is the right starting point for HTTPS verification, but it's only the first step. A passing certificate check confirms validity, domain match, and chain — not protocol strength, not cipher quality, and definitely not the security of your headers, cookies, or DNS configuration.
The complete check: verify your certificate with a basic SSL checker, do a deep TLS audit quarterly with SSL Labs, and run a comprehensive security scanner regularly to catch the configuration issues that live around your certificate.
Start your free security scan on ZeriFlow → — TLS, certificates, headers, cookies, and 80+ other checks in 60 seconds. The free plan covers single-domain scans, and you'll get a clear report telling you exactly what to fix first.