SSL Checker
Check any website’s SSL certificate in seconds. Enter a domain to verify HTTPS status, certificate issuer, validity dates, and expiration—great for SEO, security audits, and uptime checks. Fast, free, and works on desktop and mobile.
SSL Checker
The SSL Checker verifies the SSL/TLS certificate of any domain and returns key details: whether the certificate is valid, the certificate issuer and authority, the validity period, the expiry date, the domains covered, and the overall HTTPS status. Enter a domain name and click Examine SSL to retrieve the live certificate information.
A valid, correctly configured SSL certificate is a fundamental requirement for any website in 2025. It enables HTTPS, encrypts traffic between the browser and server, displays the padlock icon in the browser address bar, and is a confirmed Google ranking signal. An expired, misconfigured, or domain-mismatched certificate causes browser security warnings that drive users away and can prevent pages from loading entirely.
How to use the SSL Checker
- Enter the domain name you want to check — for example, example.com or www.example.com. Do not include https:// in the input; just the domain.
- Click Examine SSL. The tool connects to the domain and retrieves the live SSL certificate details.
- Review the results: certificate validity status, issuer name and Certificate Authority (CA), Not Before and Not After dates (the validity window), and the domains covered by the certificate.
- If the certificate is expired, shows a hostname mismatch, or flags any other issue, use the SSL errors reference table below to identify the cause and the corrective action.
Check both the bare domain and the www version separately. Certificates do not automatically cover both example.com and www.example.com unless both are listed in the certificate's Subject Alternative Names (SANs). A certificate that covers www.example.com but not example.com (or vice versa) will cause a hostname mismatch warning for whichever version is not listed. Run the SSL Checker on both versions to confirm both are covered.
What the SSL check returns
When the tool inspects a certificate, the most important fields it retrieves are:
- Valid / Invalid status — whether the certificate is currently valid: within its validity window, issued by a trusted CA, and matching the domain.
- Certificate issuer — the Certificate Authority (CA) that issued the certificate (e.g. Let's Encrypt, DigiCert, Sectigo, GlobalSign, Comodo). Well-known CAs are trusted by all major browsers.
- Not Before date — the date the certificate became valid. A certificate used before this date will appear invalid.
- Not After / Expiry date — the date the certificate expires. After this date, the certificate is invalid and browsers will show a hard security warning preventing users from accessing the site.
- Domains covered (Subject Alternative Names) — the full list of domains and subdomains the certificate is authorized to protect. Any domain not listed here will trigger a hostname mismatch error.
- Certificate type — whether the certificate is Domain Validated (DV), Organization Validated (OV), or Extended Validated (EV).
Certificate validity periods are getting shorter. The CA/Browser Forum — the industry body that sets SSL standards — has progressively reduced the maximum validity period for public SSL certificates. As of 2025, the maximum is 398 days (approximately 13 months). A further reduction to 90 days and eventually 47 days is expected in the coming years. This trend strongly favors automated renewal systems such as Let's Encrypt with ACME protocol, which renew certificates automatically every 60 to 90 days. If you are still manually renewing annual certificates, plan for more frequent renewals ahead.
SSL certificate types — DV, OV, and EV explained
All three certificate types use the same strength of encryption. The difference between them is the level of identity verification the Certificate Authority performs before issuing the certificate. A DV certificate proves only that the applicant controls the domain. An OV certificate also verifies that a real, registered organization controls the domain. An EV certificate additionally verifies the organization’s physical location and legal standing through a rigorous manual review.
| Type | Validation | What CA verifies | Issuance time |
| DV (Domain Validated) | Domain ownership only — confirmed via DNS record, file upload, or email to registered domain owner. | Minutes to hours. Automated. | Blogs, personal sites, developer projects, internal tools, and any site that needs HTTPS quickly and cheaply. |
| OV (Organisation Validated) | Domain ownership plus business identity — registered company name, address, and legal existence verified against official records. | 1 to 3 business days. Requires manual review. | Business websites, company portals, professional services, any site collecting user data or login credentials. |
| EV (Extended Validated) | Domain ownership, business identity, physical existence, and authorized representative — the most thorough verification in the industry. | 3 to 7+ business days. Full manual review and documentation. | E-commerce stores, financial services, banks, healthcare portals, and high-risk sites where user trust is critical. |
From a pure encryption standpoint, a DV certificate from Let's Encrypt protects user data just as effectively as an EV certificate from DigiCert. The difference is in the trust signal to users and the identity information embedded in the certificate. For most websites, a DV certificate is sufficient. For organizations handling payments, sensitive personal data, or transactions where user trust is critical, OV or EV provides stronger identity assurance.
Certificate coverage scope — single domain, wildcard, and multi-domain
Beyond the validation level, certificates differ in how many domains they protect. Choosing the wrong coverage scope is one of the most common SSL configuration mistakes — particularly the assumption that a certificate for www.example.com automatically covers example.com, or that a wildcard covers all subdomain levels.
| Certificate scope | What it protects | Example | Notes |
| Single domain | Exactly one domain or subdomain. | example.com (does not cover www.example.com unless specified as a SAN). | Most common type. Does not automatically cover both bare domain and www — check your certificate's Subject Alternative Names (SANs) to confirm both are listed. |
| Multi-domain (SAN) | Multiple distinct domains in a single certificate. Each additional domain is listed as a Subject Alternative Name. | example.com, shop.example.com, example.co.uk — all in one certificate. | Useful for businesses running multiple brands or regional sites. Simplifies renewal management — one certificate expiry date covers all domains. |
| Wildcard | A primary domain and all first-level subdomains. The wildcard character (*) covers one level of subdomain depth. | *.example.com covers www, shop, blog, api.example.com — but not sub.sub.example.com. | Does not cover the bare domain (example.com) unless it is also explicitly listed. Does not cover second-level subdomains (api.v2.example.com). |
| Wildcard + SAN | Combination: a wildcard for subdomains plus explicit additional domains listed as SANs. | *.example.com plus example.com, example.co.uk in the same certificate. | The most flexible coverage option. Used by organizations with complex domain structures across multiple TLDs and subdomains. |
SSL, HTTPS, and SEO
Google confirmed HTTPS as a lightweight ranking signal in 2014 and has progressively strengthened its enforcement since. Google Chrome marks all HTTP pages as 'Not Secure' in the address bar. Pages served over HTTP without a valid SSL certificate receive a visible browser warning before users can proceed. Google's own data shows over 95 percent of page loads in Chrome are now over HTTPS — any page still on HTTP is a significant outlier.
The direct SEO impact of SSL is modest as a standalone signal — having HTTPS does not dramatically boost rankings on its own. The indirect impact is more significant: HTTP pages lose click-through rates due to the 'Not Secure' label, and Google explicitly recommends HTTPS as a baseline technical requirement. An expired or misconfigured certificate that triggers a browser warning effectively takes a page offline for most users, which has a severe indirect impact on rankings through lost crawlability and traffic.
HTTPS also enables HTTP/2 and HTTP/3, which provide significant performance improvements through multiplexing, header compression, and server push. These protocol improvements contribute to faster Core Web Vitals scores, which are a confirmed Google ranking factor.
SSL errors and warnings — causes and fixes
The table below covers the seven most common SSL certificate problems, what causes each one, and how to resolve it:
| Error / warning | Most likely cause | How to fix it |
| Certificate expired | The certificate's Not After date has passed. Browsers reject expired certificates and show a hard warning. | Renew the certificate immediately through your CA or hosting provider. Configure automatic renewal (Let's Encrypt / ACME) to prevent recurrence. |
| Certificate not yet valid | The server clock is wrong, or the certificate has a future Not Before date. Very rare — usually a server clock sync issue. | Verify the server time is correct and synced with an NTP server. Contact your CA if the Not Before date is clearly wrong. |
| Hostname mismatch | The domain in the browser's address bar does not match any domain listed in the certificate's Subject or Subject Alternative Names (SANs). | Check whether www.example.com and example.com are both listed as SANs. If not, reissue with both included, or use a wildcard certificate. Check CDN / load balancer SSL settings. |
| Untrusted certificate | The certificate was issued by a CA not trusted by the browser's root store, or the certificate chain is incomplete (missing intermediate CA). | Ensure the full certificate chain (including intermediate CA certificates) is installed on the server. Use a certificate from a trusted, publicly recognized CA. |
| Mixed content | The HTTPS page loads some resources (images, scripts, stylesheets) over HTTP. Browsers block or warn about mixed content even if the page certificate is valid. | Update all resource URLs to HTTPS. Use the browser console (F12 > Console) to identify specific mixed content URLs. Consider a Content Security Policy (CSP) with upgrade-insecure-requests. |
| Certificate revoked | The CA has revoked this certificate before its expiry — typically due to a compromised private key or CA error. | Issue a new certificate immediately. If your private key was compromised, regenerate it before requesting the new certificate. |
| Weak cipher / outdated protocol | The server is using an outdated TLS version (TLS 1.0 or 1.1, both deprecated) or weak cipher suite. | Configure your server to use TLS 1.2 and TLS 1.3 only. Disable TLS 1.0, TLS 1.1, and SSL 3.0. Review cipher suite configuration and remove weak options. |
Certificate expiry and renewal
When to renew
The standard guidance is to renew at least 30 days before the expiry date. Many hosting panels and certificate management tools send automatic expiry reminders. If your certificate expires without renewal, all browsers will show a hard security warning preventing users from accessing the site — this is particularly damaging for e-commerce sites where the warning appears immediately before checkout.
Automatic renewal with Let's Encrypt
Let's Encrypt issues free DV certificates with a 90-day validity period and supports fully automated renewal through the ACME (Automated Certificate Management Environment) protocol. Most major hosting providers (cPanel, Plesk, most managed WordPress hosts, Cloudflare, Netlify, Vercel) handle Let's Encrypt renewal automatically — the certificate rotates every 60 to 90 days without any manual action required. If your certificate is from Let's Encrypt with a 90-day validity and you have not configured ACME automation, set up the certbot client or your hosting provider's auto-renewal feature immediately.
CDN and proxy SSL
When a site is behind a CDN such as Cloudflare, there are two SSL connections: the connection between the visitor and the CDN edge server, and the connection between the CDN and your origin server. Both can be checked independently. The ToolsPiNG SSL Checker checks the certificate presented at the edge (the visitor-facing certificate). If you are using Cloudflare's Universal SSL, the edge certificate is managed automatically by Cloudflare. Verify that your origin-to-CDN connection is also configured with a valid certificate in 'Full (Strict)' mode — not 'Flexible', which sends traffic to your origin server unencrypted.
Usage limits
| Guest users | 25 checks per day. No account required. |
| Registered users | 100 checks per day. Free to register. |
Related tools
- Check GZIP Compression — verify whether your server is compressing text resources. HTTPS enables HTTP/2 which works best alongside compression.
- Spider Simulator — see how a search engine crawler views your page. A misconfigured SSL certificate can block crawlers entirely.
- Websites Broken Link Checker — identify broken links on your site. Mixed-content warnings (HTTP resources on HTTPS pages) often originate from broken or hard-coded HTTP URLs in content.
Frequently asked questions
What is an SSL certificate?
An SSL/TLS certificate is a digital certificate that authenticates a website's identity and enables an encrypted HTTPS connection between the visitor's browser and the web server. The certificate is issued by a trusted Certificate Authority (CA) and contains the domain name(s) the certificate covers, the CA that issued it, the validity period (Not Before and Not After dates), and the public encryption key. When a browser connects to a site over HTTPS, it verifies the certificate against its trusted CA root store — if the certificate is valid, trusted, and matches the domain, the connection is established securely and the padlock icon is shown.
What is the difference between SSL and TLS?
SSL (Secure Sockets Layer) is the original name of the protocol, introduced in the 1990s. TLS (Transport Layer Security) is the modern, updated version — all current secure web connections use TLS 1.2 or TLS 1.3. SSL 3.0 and earlier versions are deprecated and considered insecure. In practice, the terms 'SSL' and 'SSL certificate' remain in common use even though the underlying protocol is TLS. When people refer to an SSL certificate, they mean an X.509 certificate used to establish TLS connections.
What is the difference between DV, OV, and EV certificates?
The three types differ in how much the Certificate Authority verifies about the certificate applicant before issuing. DV (Domain Validated) confirms only that the applicant controls the domain — issuable in minutes, often free. OV (Organization Validated) also verifies the registered business name and address — takes 1 to 3 business days. EV (Extended Validated) performs the most thorough verification including legal documents and physical location — takes up to a week. All three provide the same encryption strength. The difference is in the identity assurance and trust signal. Most websites use DV certificates; OV and EV are recommended for e-commerce and financial services where user trust in the organization’s identity matters.
Why does my SSL show a hostname mismatch warning?
A hostname mismatch means the domain you are trying to access is not listed in the certificate's Subject Alternative Names (SANs). Common causes: the certificate covers www.example.com but not example.com (or vice versa); a subdomain is not included in the certificate; the site was migrated to a new domain without reissuing the certificate; or a CDN or load balancer is presenting the wrong certificate for the incoming request. Use the SSL Checker to view the exact list of SANs in the certificate and compare them against the domains that need to be covered. Reissue the certificate with the missing domains added.
What is mixed content and how does it affect SSL?
Mixed content occurs when an HTTPS page loads some resources — images, stylesheets, scripts, iframes — over HTTP rather than HTTPS. Even if the page has a valid SSL certificate, loading HTTP resources undermines the security of the HTTPS connection. Modern browsers block active mixed content (scripts and stylesheets) entirely and warn about passive mixed content (images). Mixed content errors appear in the browser console (F12 > Console) as specific URLs. Fix by updating all resource URLs to HTTPS — change hard-coded http:// links to https://, update CMS settings, and use a Content Security Policy header with upgrade-insecure-requests to automatically upgrade remaining HTTP references.
How often should I check my SSL certificate?
Check your SSL certificate at least monthly as a routine maintenance task, and immediately after any server migration, CDN change, hosting provider change, or domain configuration update. The most important check is the expiry date — set a calendar reminder to renew at least 30 days before the certificate expires. If you have automated renewal (Let's Encrypt with ACME), verify that the automation is actually working by checking that the certificate's Not After date advances after each renewal cycle. Automated renewal can fail silently if DNS changes, permissions, or server configuration are modified.
Does an SSL certificate improve my Google rankings?
HTTPS is a confirmed Google ranking signal, but a modest one. Simply having a valid SSL certificate does not dramatically boost rankings — content relevance, backlinks, and Core Web Vitals are far more influential signals. The more important impact is the negative effect of not having SSL: Chrome's 'Not Secure' label reduces click-through rates, browser warnings prevent users from reaching the page, and Google may deprioritize HTTP URLs in crawling and indexing. HTTPS is best understood as a technical baseline requirement, not a ranking shortcut — every serious website should have it, but it will not compensate for weak content or poor technical SEO elsewhere.
Is the SSL Checker free?
Yes. The tool is free within the daily usage limits shown above. Guest users can run 25 checks per day without creating an account. Registering a free ToolsPiNG account increases the daily limit to 100 checks and gives access to usage history and saved favorites.