How to Check an SSL Certificate

What Is an SSL Certificate?

An SSL/TLS certificate is a digital file that verifies the identity of a domain and encrypts communication between browser and server. Without a valid SSL certificate, browsers display a "Not Secure" warning and Google treats the site negatively in its ranking.

An SSL certificate contains:

• The domain name it covers
• The organisation/authority that issued it (Certificate Authority — CA)
• Issue and expiry dates
• Public encryption key
• Digital signature of the CA

SSL vs TLS — what's the difference?

Technically "SSL" is outdated — we use TLS 1.2 or TLS 1.3 today. But the term "SSL" has stuck as a synonym. If your server only supports TLS 1.0/1.1, it is considered weak — modern browsers require TLS 1.2+.

What to Check in an SSL Certificate

1. Expiry Date

The most common cause of SSL issues. Modern certificates last 90 days (Let's Encrypt) or 1 year (commercial). An expired certificate immediately causes a browser error — nobody can access the site.

2. Domain Coverage

The certificate must cover exactly the domain you are using:

• example.com — covers only the apex domain
• *.example.com — wildcard, covers all subdomains (but not the apex)
• SAN (Subject Alternative Names) — one certificate for multiple domains

3. Certificate Chain

Trust in an SSL certificate is based on a chain: Root CA → Intermediate CA → Leaf certificate. If the Intermediate CA is missing from the server, some browsers (especially mobile) will show an error even if the certificate itself is valid.

4. Issuer

Check which CA issued the certificate. Known CAs: Let's Encrypt, DigiCert, Sectigo, GlobalSign, ZeroSSL. A self-signed certificate always shows a browser warning.

5. HSTS (HTTP Strict Transport Security)

HSTS is an HTTP header that tells the browser to use HTTPS ONLY for your domain for a set number of days — even if the user types http://. This eliminates SSL stripping attacks.

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

6. Mixed Content

If your page uses HTTPS but loads assets (images, scripts) over HTTP, browsers display a warning. These assets are called "mixed content" and can prevent scripts from running.

Types of SSL Certificates

Installing Let's Encrypt with Certbot

Let's Encrypt provides free, automatically renewing DV certificates. Certbot handles everything automatically:

# Ubuntu/Debian with Apache
sudo apt install certbot python3-certbot-apache
sudo certbot --apache -d example.com -d www.example.com

# Ubuntu/Debian with Nginx
sudo apt install certbot python3-certbot-nginx
sudo certbot --nginx -d example.com -d www.example.com

# Test automatic renewal
sudo certbot renew --dry-run

Certbot automatically adds a cron job for renewal. If you use Plesk or cPanel, certificate management is done from the control panel.

Common SSL Errors and Solutions

ERR_CERT_DATE_INVALID / "Certificate has expired"

The certificate has expired. Renew it immediately. For Let's Encrypt: run certbot renew. For commercial: purchase a new one or renew through your registrar/hosting provider.

ERR_CERT_COMMON_NAME_INVALID / "Certificate does not match"

The domain you are visiting is not listed in the certificate. Cause: you have a certificate for example.com but are visiting www.example.com (or vice versa). Solution: use a wildcard or SAN certificate.

ERR_CERT_AUTHORITY_INVALID / "Not trusted"

The certificate chain is incomplete or self-signed. Make sure your server sends the intermediate certificate along with the leaf certificate.

Mixed Content Warning

Search your code for hardcoded http:// URLs. For WordPress: use the "Really Simple SSL" plugin. In general: add an HSTS header once all mixed content is fixed.

When to Be Concerned