Updated 9 hours ago
When you visit a website over HTTPS, the server hands you a certificate. That certificate is a cryptographic introduction: "I am example.com, and DigiCert vouches for me."
Checking a certificate means verifying that introduction. Is this really who they claim to be? Does anyone trustworthy vouch for them? Is their credential still valid?
The Quick Check: Your Browser
Every modern browser lets you inspect certificates. Click the padlock icon in the address bar.
Chrome, Edge, Brave: Padlock → "Connection is secure" → "Certificate is valid"
Firefox: Padlock → Arrow next to "Connection secure" → "More information" → "View Certificate"
Safari: Padlock → "Show Certificate"
This shows you everything: who issued the certificate, when it expires, what domains it covers, and the chain of trust from the website up to a root authority your browser trusts.
For casual browsing, this is all you need. If the padlock is there and nothing looks wrong, the introduction checks out.
What You're Actually Looking At
A certificate contains several fields that matter:
Subject: The domain name (and sometimes organization) this certificate identifies. This should match where you think you are.
Issuer: The Certificate Authority that vouched for this certificate. Names like Let's Encrypt, DigiCert, and GlobalSign are trusted. Unknown issuers are suspicious.
Validity Period: Certificates expire. The current date must fall between "Not Before" and "Not After."
Subject Alternative Names (SANs): The list of all domains this certificate covers. A certificate for example.com might also cover www.example.com and api.example.com.
Public Key: The cryptographic key the server will use. Modern certificates use RSA 2048-bit or ECC 256-bit keys. Anything smaller is weak.
Signature Algorithm: How the issuer signed this certificate. SHA-256 is standard. SHA-1 is deprecated and dangerous.
The Power Tool: OpenSSL
When you need more than a browser can show—or when you're checking certificates programmatically—OpenSSL is the standard tool.
Connect to a server and see everything:
This performs a real TLS handshake and dumps the full certificate chain. The -servername flag handles SNI (Server Name Indication), which matters when multiple sites share an IP address.
To see the certificate decoded into human-readable form:
Just the expiration dates:
Just the domains covered:
The certificate's fingerprint—a unique hash that identifies this exact certificate:
Fingerprints are like passport numbers. If you know what fingerprint to expect, you can verify you're seeing the right certificate and not a fraudulent one.
Online Tools
Sometimes you want analysis without installing anything.
SSL Labs Server Test (ssllabs.com/ssltest): The thorough option. Enter a hostname and wait a few minutes. You get a complete security audit: certificate validity, supported protocols, cipher suites, vulnerabilities, and an overall grade. This is what security professionals use.
crt.sh: Search Certificate Transparency logs. Enter a domain and see every certificate ever issued for it. This matters because Certificate Transparency exists for a paranoid reason: we don't fully trust the system that issues certificates. By logging everything publicly, unauthorized certificates become visible.
DigiCert Certificate Inspector (digicert.com/help): Quick certificate details without the full SSL Labs scan.
Checking the Chain
Certificates form chains. Your site's certificate is signed by an intermediate CA, which is signed by a root CA that browsers trust.
If the chain is incomplete—if the server doesn't send the intermediate certificates—some browsers will fail to connect even though others succeed. They can't verify the introduction because they're missing a link.
In OpenSSL output, count the certificate blocks (between BEGIN CERTIFICATE and END CERTIFICATE). You should see at least two: the site certificate and one or more intermediates.
Browsers show the chain visually. Look for a sequence leading from your site's certificate up to a recognized root.
Checking Revocation
Certificates can be revoked before they expire—if the private key was compromised, if the organization changed, or if the certificate was issued incorrectly.
OCSP (Online Certificate Status Protocol) lets you check:
The -status flag requests OCSP stapling from the server. Look for "OCSP Response Status: successful" and "Cert Status: good."
With the rise of short-lived certificates (90 days from Let's Encrypt), revocation matters less than it once did. A compromised certificate expires quickly anyway.
Common Problems
Expired: The most common issue. The certificate's validity period has passed.
Wrong Domain: The certificate doesn't list the domain you're visiting in its SANs. Common after deployments where the wrong certificate was installed.
Incomplete Chain: The server isn't sending intermediate certificates. Works in some browsers, fails in others.
Self-Signed: The certificate wasn't issued by a trusted CA. The server is vouching for itself, which defeats the purpose.
Weak Cryptography: SHA-1 signatures or RSA keys smaller than 2048 bits. Outdated and potentially vulnerable.
Automation
For production systems, don't check certificates manually. Automate it.
A simple monitoring script:
Run this via cron. Alert when expiration approaches.
Better: use monitoring services like Uptime Robot, Pingdom, or dedicated SSL monitors. They'll alert you days or weeks before expiration, from multiple geographic locations, without you maintaining scripts.
For sophisticated setups, Prometheus exporters can publish certificate metrics for visualization in Grafana.
Frequently Asked Questions About Checking Website Certificates
Was this page helpful?