Skip to main content
SecScannerSecScanner
Security ChecksFree ToolsPricingBlog
Get Started
Sign InGet Started
← Back to Blog
TLSFebruary 23, 202610 min read

SSL Certificate Check: How to Verify Your Site's TLS Security

Learn how to check SSL certificates for expiry, chain issues, and misconfigurations. Covers openssl commands, online SSL checkers, and automated monitoring.

By SecScanner Team
SSL Certificate Check: How to Verify Your Site's TLS Security

An SSL certificate check is the first step in verifying your website's transport security. Expired, misconfigured, or weak certificates expose your users to man-in-the-middle attacks and trigger browser warnings that destroy trust. This guide covers everything you need to know about checking SSL certificates — from quick online tools to deep command-line inspection with openssl.

Why SSL Certificate Checks Matter

SSL/TLS certificates serve three critical functions: they encrypt data in transit, authenticate your server's identity, and establish trust with browsers. When any of these break down, the consequences are immediate:

  • Expired certificates — browsers display full-page warnings, causing visitors to leave
  • Chain issues — missing intermediate certificates cause failures on some devices but not others
  • Weak algorithms — SHA-1 or 1024-bit RSA keys are considered insecure and may be rejected
  • Hostname mismatch — the certificate doesn't cover the domain being accessed
  • Revoked certificates — compromised certificates that should no longer be trusted

Quick SSL Certificate Check Online

The fastest way to check an SSL certificate is with an online SSL checker. SecScanner performs a comprehensive SSL certificate check as part of its security scan — verifying expiration dates, certificate chain validity, protocol versions, and cipher suite strength in seconds.

When running an SSL checker, look for these key indicators:

  • Certificate validity period — days remaining until expiration
  • Certificate chain — all intermediates present and correctly ordered
  • Protocol support — TLS 1.2 and 1.3 enabled, older versions disabled
  • Cipher suites — strong AEAD ciphers preferred, weak ciphers removed
  • OCSP stapling — revocation checking configured for performance

Check SSL Certificate with OpenSSL

For detailed inspection, the openssl command-line tool gives you complete control. Here's how to check an SSL certificate using openssl:

View Certificate Details

# Connect and display the certificate
openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -text -noout

# Check just the expiration date
openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -dates

# Output:
# notBefore=Jan  1 00:00:00 2026 GMT
# notAfter=Apr  1 23:59:59 2026 GMT

Verify the Certificate Chain

# Check the full certificate chain
openssl s_client -connect example.com:443 -servername example.com -showcerts 2>/dev/null

# Verify against system trust store
openssl s_client -connect example.com:443 -servername example.com -verify_return_error 2>&1 | head -5

# Look for: Verify return code: 0 (ok)

Check SSL Certificate Expiration

# One-liner: days until expiration
echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -enddate

# Script to check multiple domains
for domain in example.com api.example.com; do
  expiry=$(echo | openssl s_client -connect $domain:443 -servername $domain 2>/dev/null | openssl x509 -noout -enddate | cut -d= -f2)
  echo "$domain expires: $expiry"
done

Test Specific TLS Versions

# Test TLS 1.3 support
openssl s_client -connect example.com:443 -tls1_3 2>&1 | grep "Protocol"

# Test TLS 1.2 support
openssl s_client -connect example.com:443 -tls1_2 2>&1 | grep "Protocol"

# Verify TLS 1.0 is disabled (should fail)
openssl s_client -connect example.com:443 -tls1 2>&1 | grep "Protocol"

Common SSL Certificate Problems

1. Expired Certificate

The most common issue. Let's Encrypt certificates expire every 90 days, and auto-renewal can silently break. Set up monitoring to catch this before your users do:

# Check if certificate expires within 30 days
openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -checkend 2592000
# Exit code 0 = valid, 1 = expiring soon

2. Incomplete Certificate Chain

Your server must send the full chain: leaf certificate + all intermediate certificates. Missing intermediates cause failures on Android and older systems while working fine on desktop browsers that cache intermediates.

# Count certificates in the chain (should be 2-3)
openssl s_client -connect example.com:443 -servername example.com -showcerts 2>/dev/null | grep -c "BEGIN CERTIFICATE"

3. Hostname Mismatch

The certificate must cover the exact domain or a matching wildcard. A certificate for example.com won't work for www.example.com unless it includes both in the Subject Alternative Names (SANs).

# Check SANs on the certificate
openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -ext subjectAltName

4. Mixed Content After HTTPS Migration

After installing an SSL certificate, ensure all resources load over HTTPS. Mixed content weakens your security and triggers browser warnings. See our mixed content fix guide for detailed solutions.

Automated SSL Certificate Monitoring

Manual checks don't scale. Here's how to automate SSL certificate expiration monitoring:

Cron-Based Monitoring Script

#!/bin/bash
# ssl-check.sh — alert if certificate expires within 14 days
DOMAINS="example.com api.example.com app.example.com"
THRESHOLD=14

for domain in $DOMAINS; do
  expiry_date=$(echo | openssl s_client -connect $domain:443 -servername $domain 2>/dev/null | openssl x509 -noout -enddate | cut -d= -f2)
  expiry_epoch=$(date -d "$expiry_date" +%s 2>/dev/null || date -j -f "%b %d %T %Y %Z" "$expiry_date" +%s)
  now_epoch=$(date +%s)
  days_left=$(( (expiry_epoch - now_epoch) / 86400 ))

  if [ $days_left -lt $THRESHOLD ]; then
    echo "WARNING: $domain certificate expires in $days_left days"
  fi
done

Use SecScanner for Continuous Monitoring

Rather than building custom scripts, SecScanner automatically checks your SSL certificate configuration on every scan — including expiration dates, chain validity, protocol versions, cipher strength, and OCSP stapling. It flags issues with clear remediation steps so you can fix problems before they affect users.

SSL Certificate Best Practices

  • Automate renewal — use Let's Encrypt with certbot or your hosting provider's auto-renewal
  • Monitor expiration — set alerts for 30, 14, and 7 days before expiry
  • Use TLS 1.2+ — disable TLS 1.0 and 1.1 (deprecated since 2020)
  • Enable OCSP stapling — improves performance and privacy of revocation checking
  • Deploy HSTS — force HTTPS connections via the Strict-Transport-Security header
  • Set up CAA records — restrict which CAs can issue certificates for your domain
  • Test after changes — always run an SSL check after certificate renewal or server changes

How to Check SSL Certificate in Different Environments

Nginx

# Check which certificate Nginx is serving
nginx -T 2>/dev/null | grep ssl_certificate

# Verify the certificate file directly
openssl x509 -in /etc/nginx/ssl/example.com.crt -noout -dates -subject

Apache

# Find certificate paths in Apache config
apache2ctl -S 2>/dev/null | grep -i ssl
grep -r "SSLCertificateFile" /etc/apache2/

Node.js / Express

const https = require('https');

function checkCertificate(hostname) {
  return new Promise((resolve, reject) => {
    const req = https.request({ hostname, port: 443, method: 'HEAD' }, (res) => {
      const cert = res.socket.getPeerCertificate();
      resolve({
        subject: cert.subject.CN,
        issuer: cert.issuer.O,
        validFrom: cert.valid_from,
        validTo: cert.valid_to,
        daysRemaining: Math.floor(
          (new Date(cert.valid_to) - Date.now()) / 86400000
        ),
      });
    });
    req.on('error', reject);
    req.end();
  });
}

Checklist: Complete SSL Certificate Check

  • Certificate is not expired and has 30+ days remaining
  • Full certificate chain is served (leaf + intermediates)
  • Subject Alternative Names cover all your domains
  • TLS 1.2 and 1.3 enabled; TLS 1.0/1.1 disabled
  • Strong cipher suites only (AES-GCM, ChaCha20)
  • OCSP stapling enabled
  • HSTS header deployed with adequate max-age
  • CAA DNS records restrict authorized CAs
  • No mixed content issues on any page
  • Automated renewal and monitoring in place

Regular SSL certificate checks are essential for maintaining trust and security. Whether you use openssl from the command line or an automated SSL checker like SecScanner, the key is to make these checks part of your routine — not something you remember only when a certificate expires.

Related Articles

TLS

TLS/HTTPS Security Essentials: Protecting Your Website in 2025

8 min read

TLS

HSTS Preload: Force HTTPS for Every Visitor from the First Connection

8 min read

DNS

CAA DNS Records: Control Who Can Issue Certificates for Your Domain

8 min read

Check Your Website Security

Want to see how your website measures up? Run a free security scan with SecScanner to identify vulnerabilities and get actionable remediation guidance.

Scan Your Website Free
SSL CheckerTLS Security Checks

On This Page

Product

  • Security Checks
  • Free Tools
  • SSL Checker
  • Vulnerability Scanner
  • Email Security
  • Pricing
  • Compliance
  • Security Reports

Popular Checks

  • CSP Check
  • HSTS Check
  • TLS Version Check
  • SSL Expiry Check
  • SPF/DKIM/DMARC Check
  • Cookie Security Check
  • JS Vulnerability Scan
  • OCSP Stapling Check

Resources

  • Blog
  • Glossary
  • Contact

Legal

  • Terms of Use
  • Privacy Policy
  • Refund Policy
  • Cookie Policy

© 2025-2026 SecScanner. All rights reserved.