How to Check an SSL Certificate
Four ways to check any website's SSL certificate: browser inspection, online tools, command line, and monitoring. Plus a comparison of free SSL checker tools.
Something feels off with your site. Maybe a customer complained about a security warning, or you just deployed a new certificate and want to confirm it's working. Either way, you need to check your SSL certificate, and you need to know what you're actually looking at.
Here are four ways to do it, from the quickest to the most thorough.
Method 1: Check SSL in Your Browser
The fastest way to check any SSL certificate is the one you already have open: your browser.
Look for the padlock icon
In the address bar, click the padlock icon (or the "tune" icon in newer Chrome versions) to the left of the URL. If there's no padlock or you see a warning triangle, the certificate has a problem.
Click 'Connection is secure'
This confirms the site has a valid certificate. Click it to see more details.
View the certificate
Click "Certificate is valid" to open the certificate viewer. You'll see the issuer, validity dates, and the domains it covers.
This works in Chrome, Firefox, Edge, and Safari, though the exact clicks differ slightly. It's great for a quick spot-check, but it only tells you about the certificate right now -- it won't warn you before it expires.
Method 2: Use an Online SSL Checker Tool
Online tools give you more detail without installing anything. Paste in a domain and get a full report.
Popular free SSL checkers:
- Qualys SSL Labs (ssllabs.com/ssltest) -- The gold standard. Tests certificate validity, chain completeness, protocol support, cipher suites, and known vulnerabilities. Gives you a letter grade (A through F). Thorough but slow (takes 1-2 minutes).
- SSLShopper SSL Checker (sslshopper.com/ssl-checker.html) -- Fast, shows the certificate chain visually. Good for quick chain debugging.
- SSL Labs by Comodo/Sectigo -- Similar to SSLShopper, focused on basic validity checks.
These tools are excellent for one-off checks. The downside: you have to remember to check. Nobody bookmarks an SSL checker and visits it weekly.
Method 3: Check SSL with OpenSSL (Command Line)
If you're comfortable with the terminal, OpenSSL gives you the most control. It's pre-installed on most Linux and macOS systems.
Connect and view the certificate:
openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -text
Check just the expiry dates:
openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -dates
This outputs:
notBefore=Jan 15 00:00:00 2025 GMT
notAfter=Apr 15 23:59:59 2025 GMT
Check the certificate chain:
openssl s_client -connect example.com:443 -servername example.com -showcerts </dev/null
The -servername flag matters
Without -servername, OpenSSL won't send the SNI (Server Name Indication) header. On servers hosting multiple sites, you'll get the wrong certificate. Always include it.
OpenSSL is powerful but manual. You're not going to SSH into a server every morning to run certificate checks. That's where monitoring comes in.
Automate your SSL checks
Stop manually checking certificates. Get alerts before they expire.
Method 4: SSL Monitoring Tools
Monitoring tools check your certificates continuously and alert you before something breaks. This is the approach that actually prevents outages.
A good SSL monitoring tool will:
Check certificates on a schedule
Alert before expiry
Verify the full chain
Monitor multiple domains
This is the only method that works proactively. Browser checks, online tools, and OpenSSL all tell you the current state. Monitoring tells you about the future state.
Understanding Certificate Fields
When you check a certificate, you'll see several fields. Here's what matters:
- Subject / Common Name (CN): The domain the certificate was issued for. On modern certificates, the Subject Alternative Names (SANs) field is more important.
- Issuer: The Certificate Authority (CA) that issued it. Common ones: Let's Encrypt, DigiCert, Sectigo, Google Trust Services.
- Validity (Not Before / Not After): When the certificate became valid and when it expires. Let's Encrypt certificates are valid for 90 days. Commercial certificates are typically 1 year.
- Subject Alternative Names (SANs): All the domains and subdomains covered by this certificate. A cert for
example.commight also coverwww.example.com,api.example.com, etc. - Signature Algorithm: Should be SHA-256 or better. If you see SHA-1, you have a problem.
- Key Size: RSA 2048-bit or ECDSA 256-bit are the current minimums. Anything less is insecure.
Comparing SSL Checker Methods
| Method | Speed | Detail Level | Proactive Alerts | Best For |
|---|---|---|---|---|
| Browser inspection | Instant | Basic | No | Quick spot-checks |
| Online tools (SSL Labs) | 1-2 min | Comprehensive | No | Security audits, grading |
| OpenSSL CLI | Instant | Full control | No | DevOps, scripting, debugging |
| SSL monitoring | Continuous | Configurable | Yes | Production sites, teams |
Which Method Should You Use?
Use all of them -- but at different times.
For a quick check: Open the site in your browser and click the padlock. Takes 5 seconds.
For a thorough audit: Run it through Qualys SSL Labs. Check your grade, fix any issues.
For debugging: Use OpenSSL. It gives you the raw data you need to diagnose chain issues, protocol mismatches, and SNI problems.
For ongoing peace of mind: Set up monitoring. Check the other three only when something goes wrong -- which monitoring will tell you about first.
The real danger isn't a certificate that's broken today. It's the certificate that expires next Tuesday while your team is focused on a product launch. Monitoring solves that problem. Everything else is reactive.
Related Articles
The best SSL check is the one that happens before you need it.
Never miss an SSL certificate expiry
Monitor your certificates and get alerts before they expire. Free for up to 3 certificates.