Inspect SSL/TLS certificates and configuration for any domain. Shows certificate details, expiry date, issuer, supported TLS versions, cipher suite, and Subject Alternative Names — plus issues that could cause browser warnings or audit failures.
This tool checks one area. The full scan covers SSL, open ports, HTTP headers, breach exposure, subdomain enumeration, compliance mapping, and more — free, no login required.
An SSL/TLS certificate is a digital credential that authenticates a website's identity and enables encrypted communication between a visitor's browser and the web server. When a site has a valid certificate, the connection uses HTTPS instead of HTTP, and the browser displays a padlock icon in the address bar.
The certificate contains the domain name, the issuing Certificate Authority (CA), the public key used for encryption, validity dates, and often the organization that owns the domain. During the TLS handshake, the browser verifies the certificate against its built-in list of trusted CAs, checks that the certificate covers the requested domain, and confirms it has not expired or been revoked.
The term "SSL" is still widely used, but the protocol it refers to — Secure Sockets Layer — has been deprecated since 2015. Modern encrypted connections use Transport Layer Security (TLS), with TLS 1.2 and TLS 1.3 being the only versions considered secure today. When people say "SSL certificate," they almost always mean a certificate used with the TLS protocol. This SSL certificate checker tests both your certificate validity and your TLS configuration.
Every website that handles user data, accepts payments, or wants to rank in search engines needs a valid SSL/TLS certificate. Even static sites benefit from HTTPS, since browsers now mark all HTTP pages as "Not Secure" and search engines penalize unencrypted sites.
Having a certificate installed is only half the equation. How your server is configured — which TLS versions it supports, which cipher suites it offers, whether the certificate chain is complete — determines whether your encryption actually protects your users. Poor configuration can leave you vulnerable even with a valid certificate.
Not all TLS versions are equal. Older versions have known vulnerabilities that attackers can exploit. Use this table to understand which versions your server should support and which must be disabled.
| Version | Status | Security | Notes |
|---|---|---|---|
| SSL 2.0 | Deprecated | Broken | Must be disabled — fundamentally insecure |
| SSL 3.0 | Deprecated | Broken | Vulnerable to POODLE attack — must be disabled |
| TLS 1.0 | Deprecated | Weak | Vulnerable to BEAST and other attacks — should be disabled |
| TLS 1.1 | Deprecated | Weak | Dropped by all major browsers in 2020 — should be disabled |
| TLS 1.2 | Active | Strong | Minimum recommended — widely supported |
| TLS 1.3 | Active | Strongest | Preferred — faster handshake, better security, no legacy baggage |
Our SSL certificate checker identifies these issues automatically. Here is what each finding means and how to resolve it.
An expired certificate triggers an immediate browser warning that blocks visitors from reaching your site. Renew the certificate immediately through your CA or hosting provider. To prevent recurrence, enable automated renewal — certbot renew handles this for Let's Encrypt certificates, and most commercial CAs offer auto-renewal features.
Mixed content occurs when an HTTPS page loads resources (images, scripts, stylesheets) over plain HTTP. This degrades security because those resources can be intercepted or modified. Audit all resource URLs in your HTML, CSS, and JavaScript, then update them to use HTTPS or protocol-relative paths. Browser developer tools flag mixed content in the console.
Cipher suites like RC4, DES, and 3DES have known weaknesses and should be disabled. Configure your server to prefer AES-GCM and ChaCha20-Poly1305 cipher suites, which provide authenticated encryption. In Nginx, set ssl_ciphers to a modern list and enable ssl_prefer_server_ciphers on.
Legacy TLS versions are no longer supported by modern browsers and fail PCI DSS compliance requirements. Disable them in your server configuration. In Nginx, use ssl_protocols TLSv1.2 TLSv1.3; to allow only secure versions. Check the results with this TLS checker after making changes.
If your server does not send intermediate certificates, some browsers and clients cannot verify the chain of trust back to a root CA. Download the intermediate certificate bundle from your CA and configure your server to send the full chain. Test with this SSL checker — it explicitly reports chain completeness.
Self-signed certificates are not trusted by browsers because they lack verification by a Certificate Authority. They are acceptable for internal development environments, but production sites must use CA-issued certificates. Free certificates from Let's Encrypt are just as secure for encryption as paid alternatives.
A hostname mismatch means the certificate's Common Name (CN) or Subject Alternative Names (SANs) do not include the domain being accessed. This triggers a browser error. Ensure your certificate covers all domains and subdomains you serve. Wildcard certificates cover *.example.com but not example.com itself — you need both.
Without HTTP Strict Transport Security (HSTS), browsers may attempt insecure HTTP connections before being redirected to HTTPS, creating a window for downgrade attacks. Add the Strict-Transport-Security header with a long max-age value. Use our HTTP security headers checker to verify HSTS and other security headers.
SSL/TLS certificates come in several types that differ in validation level and domain coverage. The encryption strength is identical across all types — the differences are in identity verification and scope.
When you enter a domain, this tool performs a comprehensive analysis of your SSL/TLS configuration in seconds. Here is what happens behind the scenes:
For a broader view of your domain's security posture — covering open ports, DNS configuration, HTTP headers, breach exposure, and compliance mapping across 17 modules — run a full security scan.
Check your SSL certificate at least once a month, and set up automated monitoring to catch expiry before it happens. Certificates from Let's Encrypt expire every 90 days, making frequent checks essential. Even certificates with a one-year validity can be revoked unexpectedly by the CA if a security incident occurs. Automated monitoring tools like ComplianceLayer can alert you days or weeks before expiry so you never face an unexpected outage or browser warning.
Yes. From an encryption standpoint, a free Let's Encrypt certificate provides the same TLS encryption strength as a paid certificate. The cryptographic algorithms (RSA-2048 or ECDSA P-256) and the TLS protocol are identical regardless of price. Paid certificates differ in validation level (Organization Validation or Extended Validation), warranty coverage, and customer support — not in the strength of the encryption itself. For most websites, a free DV certificate is perfectly appropriate.
Use TLS 1.3 as the preferred version and TLS 1.2 as the minimum. Disable TLS 1.0 and TLS 1.1 entirely — all major browsers dropped support for them in 2020, and PCI DSS mandates TLS 1.2 as the minimum. TLS 1.3 offers a faster handshake (one round trip instead of two), stronger cipher suites by default, and removes legacy features that created vulnerabilities in earlier versions. There is no compatibility reason to keep older versions enabled on a public-facing server.
Yes, SSL directly affects SEO in multiple ways. Google has used HTTPS as a ranking signal since 2014, giving encrypted sites a measurable advantage in search results. Beyond the direct ranking signal, sites without valid SSL certificates show browser warnings that dramatically increase bounce rates — and high bounce rates further damage search rankings. Modern browsers flag all HTTP sites as "Not Secure" in the address bar, reducing click-through rates from search results even before visitors see the warning page.
A certificate chain error means your server is not sending the intermediate certificates that browsers need to verify your certificate back to a trusted root CA. To fix it, download the intermediate certificate bundle from your certificate authority and configure your web server to send the full chain. In Nginx, concatenate your certificate with the intermediate bundle into a single file using cat cert.pem intermediate.pem > fullchain.pem. In Apache, use the SSLCertificateChainFile directive to point to the intermediate bundle. After making changes, run this SSL certificate checker again to verify the chain is complete.