SSL certificate checker

Check if your site works over HTTPS, whether the certificate is valid, and when it expires

Free

No sign-up

Instant results

Check results

This check only covers the SSL certificate. For a full picture of your page, run a page audit.

For issues across your whole site — duplicate titles, orphan pages, broken internal links — run a site audit.

Want us to fix what we found? Our team can help.

Page audit Site audit Fix errors

What is an SSL certificate and why it matters

An SSL/TLS certificate is a cryptographically signed file that a server presents when a browser connects over HTTPS. It does two things: encrypts the traffic between the user and the server (so ISPs, Wi-Fi operators, and other middleboxes can't read or modify page content), and authenticates that the server actually owns the domain being requested. When the handshake succeeds, the browser shows the padlock; when anything is wrong — expired, wrong domain, untrusted issuer — Chrome and Firefox block the page with a full-screen warning that most users simply won't click through. Google has confirmed HTTPS is a (small) ranking signal, but the larger effect is on user trust: Chrome labels any non-HTTPS site "Not Secure" in the address bar.

What this tool checks

HTTPS availability — whether the site responds on https:// at all
Certificate retrieval — whether the full TLS handshake completes and the certificate is readable (catches broken chains, missing intermediates)
Domain match — whether the certificate's Subject CN or Subject Alternative Names (SAN) cover the current hostname, including wildcard (*.example.com) resolution
Self-signed status — whether the certificate was issued by a recognized CA or signed by the server itself (untrusted by browsers)
TLS version — flags TLS 1.0 and 1.1 (deprecated by all major browsers in 2020); confirms TLS 1.2 or 1.3
Expiry date — reports the exact expiry date, days remaining, and escalates severity as the cutoff approaches (under 30 days → attention, under 7 days → critical, expired → bad)
Issuer — reports the CA (Let's Encrypt, DigiCert, Sectigo, etc.)

Why SSL matters for SEO

Ranking signal — Google uses HTTPS as a lightweight ranking factor (confirmed publicly in 2014); all else being equal, the HTTPS version ranks above HTTP
"Not Secure" label — Chrome, Firefox, and Safari all label HTTP pages "Not Secure" in the address bar; most users bounce before the page fully loads
Form warnings — any password or payment field on an HTTP page triggers an additional explicit "Not secure" browser warning during input
Expired cert = traffic loss — the full-page "Your connection is not private" warning blocks ~99% of visitors; an expired certificate on a busy site causes an immediate and severe traffic drop
Referrer preserved — when an HTTPS site links to another HTTPS site, the Referer header is preserved; HTTPS-to-HTTP strips it, which affects analytics attribution

Good vs bad examples

Good — Let's Encrypt certificate covering apex and www, issued automatically via certbot:

Subject: CN=example.com
SAN: example.com, www.example.com
Issuer: Let's Encrypt
Expires: 2026-07-15 (82 days)
Protocol: TLSv1.3

Good — wildcard certificate covering all first-level subdomains:

Subject: CN=*.example.com
SAN: *.example.com, example.com
Issuer: DigiCert
Protocol: TLSv1.3

Bad — certificate expired (full-page browser block, ~99% bounce rate):

Subject: CN=example.com
Expires: 2025-11-02 (expired 23 days ago)

Bad — request to www.example.com but certificate only covers apex:

Subject: CN=example.com
SAN: example.com                    ← no www listed
Request: https://www.example.com/
→ Browser: NET::ERR_CERT_COMMON_NAME_INVALID

Bad — self-signed certificate on a public site:

Subject: CN=example.com
Issuer: CN=example.com              ← issuer == subject
→ Browser: NET::ERR_CERT_AUTHORITY_INVALID

Common mistakes

Certificate covers apex but not www (or vice versa) — the most common "cert mismatch" error; fix by adding both domains as SANs when issuing (certbot: -d example.com -d www.example.com)
Broken renewal cron — Let's Encrypt certs are 90-day and certbot renews at 60 days left automatically; if the cert is expiring anyway, the renewal timer is broken (check systemctl status certbot.timer or crontab -l)
Missing intermediate certificate — the server sends only the leaf cert and not the intermediate chain; modern browsers fetch the intermediate via AIA, but some clients (curl, Java, older Android) fail. Fix by serving the full chain file (fullchain.pem from Let's Encrypt, not just cert.pem)
TLS 1.0/1.1 still enabled — silently accepted by the server but rejected by current browsers; fix with Nginx ssl_protocols TLSv1.2 TLSv1.3;
Self-signed cert in production — usually a leftover from a staging-to-prod deploy that didn't run the real certbot flow
HTTP still accessible after HTTPS is set up — the SSL checker passes but the site serves duplicate HTTP and HTTPS content; use the HTTP → HTTPS redirect checker to catch this

Frequently asked questions

What happens if the SSL certificate expires?

Every visitor gets a full-page "Your connection is not private" warning from the browser, and ~99% of users bounce instead of clicking through the "Advanced → Proceed" option. Traffic drops immediately, search rankings typically recover once the certificate is reissued but the short-term impact is severe. If you use Let's Encrypt, run sudo certbot renew --force-renewal right away, then fix the renewal cron — certbot normally renews at 30 days remaining, so if the cert actually expired, something broke the scheduled task (usually a firewall change blocking port 80 for the ACME challenge).

Why does my cert show as invalid for www but fine for the apex (or vice versa)?

A certificate is valid only for the domains explicitly listed in its Subject CN and Subject Alternative Names (SAN). A cert issued for example.com does not automatically cover www.example.com — that's a different hostname. This is the most common cause of "cert mismatch" warnings. Fix: reissue the certificate with both domains listed. With certbot: sudo certbot --nginx -d example.com -d www.example.com. For covering many subdomains at once, use a wildcard: -d "*.example.com" (requires DNS-01 validation). Always make sure the www-redirect checker also passes so users land on the canonical version before the cert is checked.

How often does the certificate need to be renewed?

Depends on the issuer. Let's Encrypt certificates are valid for 90 days and renew automatically via certbot (the installed cron/systemd timer triggers renewal at 30 days remaining). Paid certificates from commercial CAs are typically issued for 1 year, and increasingly the industry is moving toward shorter lifetimes — Apple and Google have proposed a 47-day maximum by 2029. If you use a commercial cert, set a calendar reminder 2 weeks before expiry so you have buffer for DNS validation and deployment.

Is free SSL worse than paid?

In terms of encryption and browser trust, no — Let's Encrypt uses the same cryptographic primitives and is trusted by all major browsers and operating systems. The difference is validation level: Let's Encrypt issues DV (domain-validated) certificates that only prove you control the domain; commercial CAs additionally sell OV (organization-validated) and EV (extended-validation) certificates that involve a manual vetting process. EV used to display the organization name in the address bar, but Chrome and Firefox removed that UI in 2019 — so EV has lost most of its practical user-visible benefit. For the large majority of sites, free Let's Encrypt is sufficient.