How to Check an SSL Certificate: Browser, CLI, and Monitoring Methods
Learn how to check SSL certificates using browser tools, OpenSSL commands, online checkers, and automated monitoring. Verify expiry dates, certificate chains, and domain coverage.
Last updated: 2026-02-18
Why You Need to Check SSL Certificates
An SSL certificate is not a set-and-forget configuration. Certificates expire on a fixed schedule — every 90 days for Let's Encrypt, every 398 days for most paid certificates. Auto-renewal can fail silently. Certificate chains can break during server migrations. Domain mismatches appear after adding subdomains.
Checking your SSL certificate verifies that it is valid, trusted, correctly configured, and will not expire unexpectedly. There are four methods, ranging from quick manual checks to continuous automated monitoring.
What to Look for When Checking SSL
Before diving into methods, here is what a healthy SSL certificate looks like:
Valid Expiry Date
The certificate's "Not After" date should be comfortably in the future. If it expires within 30 days, investigate whether renewal is working.
Correct Domain Coverage
The Subject Alternative Names (SANs) should include every domain and subdomain the certificate needs to cover. A wildcard for *.example.com does not cover example.com itself.
Complete Certificate Chain
The full chain from your server certificate through intermediate certificates to a trusted root CA must be present. Missing intermediates cause failures on mobile devices and API clients.
Trusted Issuer
The certificate should be issued by a recognized Certificate Authority (Let's Encrypt, DigiCert, Sectigo, etc.), not self-signed.
Modern Protocol Support
The server should support TLS 1.2 and ideally TLS 1.3. TLS 1.0 and 1.1 are deprecated and blocked by modern browsers.
Method 1: Browser Developer Tools
The quickest way to check an SSL certificate is directly in your browser.
Click the Padlock Icon
In the address bar, click the padlock (or shield) icon next to the URL. In Chrome, click "Connection is secure" then "Certificate is valid." In Firefox, click the padlock then "Connection secure" then "More information."
Review Certificate Details
The certificate viewer shows the subject (domain), issuer (CA), validity period (Not Before and Not After dates), and the certificate chain hierarchy.
Check the Chain
The certificate viewer shows the chain as a tree: Root CA at the top, intermediate CA in the middle, your server certificate at the bottom. All three should show as valid. A broken chain shows a warning or error icon.
Verify Domain Coverage
Look for the Subject Alternative Names (SANs) field. It lists every domain the certificate covers. Confirm your domain, www subdomain, and any other required subdomains are included.
Browser checks have a major limitation: desktop browsers perform AIA fetching, which automatically fills in missing intermediate certificates. Your browser may show a valid chain while mobile devices, API clients, and bots see a broken one. Never rely solely on browser checks to validate your certificate chain.
Method 2: OpenSSL Command Line
OpenSSL gives you the most detailed and reliable certificate information. It does not perform AIA fetching, so it shows exactly what your server is sending — including missing intermediates.
Check certificate details and expiry:
openssl s_client -connect yourdomain.com:443 -servername yourdomain.com </dev/null 2>/dev/null | openssl x509 -noout -dates
This outputs the Not Before and Not After dates.
View full certificate information:
openssl s_client -connect yourdomain.com:443 -servername yourdomain.com </dev/null 2>/dev/null | openssl x509 -noout -text
This shows everything: issuer, subject, SANs, serial number, signature algorithm, and validity period.
Check the certificate chain:
openssl s_client -connect yourdomain.com:443 -servername yourdomain.com -showcerts </dev/null
This displays every certificate in the chain as sent by the server. You should see at least two certificates: your server certificate and the intermediate. If only one certificate appears, the intermediate is missing.
Check SANs (Subject Alternative Names):
openssl s_client -connect yourdomain.com:443 -servername yourdomain.com </dev/null 2>/dev/null | openssl x509 -noout -ext subjectAltName
The -servername flag enables SNI (Server Name Indication), which is essential if your server hosts multiple domains. Without it, you may get the wrong certificate.
Skip the Manual Checks
Site Watcher automatically checks SSL certificates on a schedule — validating expiry, chain, domain match, and protocol. Get alerted before problems become outages. Free for 3 targets.
Method 3: Online SSL Checker Tools
Online tools provide a web-based interface for checking SSL certificates without needing command-line access.
SSL Labs (ssllabs.com/ssltest) — The most comprehensive free checker. Grades your SSL configuration from A+ to F, checks protocol support, cipher suites, certificate chain, and known vulnerabilities. Takes 1-2 minutes to run a full analysis.
SSL Shopper Checker — Quick certificate check showing expiry date, issuer, and chain status. Faster than SSL Labs but less detailed.
SSL Decoder — Decodes certificate details including SANs, key type, signature algorithm, and OCSP stapling status.
These tools are useful for one-time checks — after a certificate renewal, server migration, or configuration change. They are not a substitute for continuous monitoring because they only check when you remember to visit them.
| Method | Speed | Chain Validation | Automation | Best For |
|---|---|---|---|---|
| Browser padlock | Instant | Unreliable (AIA fetching) | None | Quick visual check |
| OpenSSL CLI | < 1 second | Accurate | Scriptable | Detailed debugging |
| Online tools | 1-2 minutes | Accurate | None | Comprehensive one-time audit |
| Automated monitoring | Continuous | Accurate | Full | Ongoing protection |
Method 4: Automated SSL Monitoring
Automated monitoring checks your SSL certificates on a continuous schedule — every few minutes to every few hours — from multiple locations. It combines the accuracy of OpenSSL with the convenience of never having to remember to check.
Monitoring tools typically alert you at multiple thresholds before expiry: 30 days (early warning), 14 days (action needed), and 7 days (emergency). This multi-stage approach gives you time to investigate and fix renewal issues before the certificate expires.
Beyond expiry, monitoring validates the certificate chain on every check, catches domain mismatches after configuration changes, and detects protocol downgrades. Because checks run from multiple geographic locations, monitoring also catches region-specific issues like CDN nodes serving stale certificates.
When to Check
After every deployment or server change. Certificate configurations can break when you update web server software, modify virtual host configurations, migrate to a new server, or change your CDN settings. A post-deployment SSL check catches these issues immediately.
After certificate renewal. Whether renewal is automated or manual, verify that the new certificate is being served correctly with a complete chain. Auto-renewal success does not guarantee the web server reloaded the new certificate.
On a regular schedule. For certificates that do not auto-renew (paid certificates, internal CA certificates), set calendar reminders to check at least monthly. Better yet, use automated monitoring that checks continuously.
When users report issues. If a user reports a security warning, check immediately from multiple methods. Browser checks from your machine may not reproduce the issue if it is caused by a missing intermediate that your browser auto-fills.
Common Issues Found During SSL Checks
Missing intermediate certificate. The most frequently missed issue. Your server sends only the leaf certificate, and desktop browsers silently fetch the intermediate via AIA. Mobile browsers and API clients cannot, so they fail. OpenSSL and online tools catch this reliably.
Certificate covering wrong domains. After adding a subdomain or migrating to a new domain, the existing certificate may not include the new domain in its SANs. The certificate needs to be reissued with updated SANs.
Certificate about to expire. Auto-renewal failed silently, and the certificate expires in days. Without monitoring, you discover this when users start seeing errors.
Weak cipher suites. The server supports deprecated ciphers that are vulnerable to known attacks. SSL Labs flags these and recommends modern cipher configurations.
OCSP stapling not configured. OCSP stapling improves connection speed and privacy by having your server provide certificate revocation status instead of requiring the browser to contact the CA's OCSP responder. Not having it configured is not an error, but configuring it improves performance.
Checking an SSL certificate takes seconds. Not checking one can cost you hours of downtime, lost customers, and damaged trust. The question is not whether to check, but how to make checking automatic.
Automated SSL Certificate Monitoring
Site Watcher checks SSL certificates continuously — expiry, chain, domain match, and protocol — from multiple locations. Combined with uptime, DNS, domain expiry, and vendor monitoring. $39/mo unlimited. Free for 3 targets.