How to check if an SSL certificate is valid?

Quick browser check

The fastest way to check an SSL certificate is directly in your browser. Here is how to do it in each major browser:

Google Chrome

• Click the padlock icon to the left of the URL in the address bar
• Click "Connection is secure" then "Certificate is valid"
• A dialog opens showing the certificate details: issued to, issued by, and validity dates
• Check the "Details" tab for the full certificate chain

Mozilla Firefox

• Click the padlock icon, then click the arrow next to "Connection secure"
• Click "More information" and then "View Certificate"
• Firefox shows the full certificate hierarchy, including intermediate and root certificates

Safari (macOS)

• Click the padlock icon in the address bar
• Click "Show Certificate" in the dropdown
• Review the summary for validity dates and issuer

What to look for

When viewing certificate details, verify these four things:

1. Domain match — the "Issued to" or "Common Name" field must exactly match the domain you are visiting. A certificate for example.com does not cover shop.example.com unless it is a wildcard certificate.
2. Validity dates — the "Valid from" and "Valid to" dates must bracket today's date. An expired certificate is invalid regardless of everything else.
3. Trusted issuer — the certificate must be signed by a certificate authority that your browser trusts (such as DigiCert, Let's Encrypt, Sectigo, or GlobalSign). Self-signed certificates trigger browser warnings.
4. Complete chain — the certificate chain must be complete from the server certificate through any intermediate certificates to a trusted root. A broken chain causes errors even if the certificate itself is valid.

Common SSL errors and what they mean

• Expired certificate — the certificate's validity period has ended. Renew it immediately. Browsers will block access to the site.
• Self-signed certificate — the certificate was not issued by a recognised certificate authority. Browsers display a full-page warning. Replace it with a certificate from a trusted authority.
• Name mismatch — the domain name in the certificate does not match the URL the visitor typed. This happens when a certificate for example.com is used on www.example.com without a Subject Alternative Name (SAN) covering both.
• Untrusted issuer — the intermediate certificate is missing from the server's configuration. The certificate itself may be valid, but the chain is broken. Install the correct intermediate certificate on your server.
• Weak cipher suite — the certificate is valid but the server is negotiating an outdated encryption algorithm. Disable weak ciphers (3DES, RC4) and enable TLS 1.2 or 1.3 only.

Online SSL checker tools

Several free online tools provide a deeper analysis than a browser check alone:

• SSL Labs Server Test — the gold standard. Tests your entire SSL configuration including protocol versions, cipher suites, certificate chain, and known vulnerabilities. Assigns an overall grade from A+ to F.
• SSL Shopper Checker — a simpler tool that verifies certificate installation, chain integrity, and common configuration errors.

These tools check things your browser does not show you, such as whether your server supports outdated protocols like TLS 1.0 or TLS 1.1, or whether it is vulnerable to attacks like ROBOT or Heartbleed.

What automated scanning covers

An automated security scanner goes beyond a basic browser check. PulseShield's SSL scanning checks all of the following:

• Certificate validity period and days until expiry
• Certificate chain completeness
• Supported TLS protocol versions (flags TLS 1.0 and 1.1 as weak)
• Cipher suite strength (flags weak or deprecated ciphers)
• HTTP Strict Transport Security (HSTS) header presence and configuration
• Mixed content detection on the page
• Redirect from HTTP to HTTPS

Regular automated scans catch issues that a one-off manual check will miss, such as a certificate that was valid last week but expires tomorrow. Read more about what SSL certificates are and why they matter.

What to do if you find a problem

If your check reveals an issue, the fix depends on the problem:

• Expired — renew the certificate. If using Let's Encrypt, check that auto-renewal is working.
• Missing intermediate — download the intermediate certificate from your certificate authority and install it on your server.
• Name mismatch — reissue the certificate with the correct domain names, or ensure your server redirects all traffic to the canonical domain.
• Weak protocols or ciphers — update your server configuration to disable TLS 1.0/1.1 and weak ciphers.

If your site also has mixed content warnings, see our guide to fixing mixed content on HTTPS pages.

Run a comprehensive SSL check

PulseShield checks your SSL certificate, security headers, cookie compliance, and 16 vulnerability types in a single free scan. Enter your domain below to get a full report in under two minutes.