The Shack Developer Tips How to Check SSL Certificates Online

How to Check SSL Certificates Online (And What to Look For)

Developer Tips November 24, 2025 6 min read
Back to All Posts

An expired SSL certificate is one of those problems that announces itself loudly and at the worst possible time — usually when a client or user calls to say your site is showing a security warning. A broken certificate chain is subtler but equally damaging. Knowing how to quickly inspect any site's SSL setup saves you from being caught off-guard.

The DevToolShack SSL Checker inspects any domain's certificate in seconds — no command line needed. Enter a domain, see the full certificate details immediately.

What Is an SSL Certificate?

An SSL/TLS certificate is a digital document that does two things: it proves the identity of a website (this server really is example.com), and it enables encrypted communication between the browser and server. Without a valid certificate, browsers show security warnings that most users won't click through.

Certificates are issued by Certificate Authorities (CAs) — trusted organisations like Let's Encrypt, DigiCert, and Sectigo. When a browser connects to a site, it checks that the certificate is valid, unexpired, issued by a trusted CA, and matches the domain being visited.

What to Check in an SSL Certificate

Expiry Date

The most common SSL failure. Certificates have a maximum validity period of 398 days (about 13 months) — and Let's Encrypt certificates expire every 90 days. When a certificate expires, browsers immediately block access with a hard error.

Don't wait for expiry. Set calendar reminders or use a monitoring service to alert you 30 days before expiry. Many hosting providers auto-renew Let's Encrypt certificates, but auto-renewal can fail silently — always verify it's actually happening.

Domain Coverage

The certificate must cover the exact domain (or domains) you're serving. Check that:

  • Both example.com and www.example.com are covered — they're treated as different domains
  • Any subdomains you use are covered — either explicitly or via a wildcard (*.example.com)
  • The Subject Alternative Names (SANs) include all domains you need

Certificate Chain

Your certificate doesn't stand alone — it's part of a chain of trust from your certificate up to a root CA that browsers inherently trust. If any intermediate certificate in the chain is missing or misconfigured, some browsers will reject the connection even though the certificate itself is valid.

This is one of the trickiest SSL issues to diagnose because it often works fine in Chrome (which is more lenient about fetching missing intermediates) but fails in curl, API clients, or older browsers.

Protocol and Cipher Support

Older TLS versions (TLS 1.0, TLS 1.1) are deprecated and disabled in modern browsers. Your server should be configured to use TLS 1.2 at minimum, with TLS 1.3 preferred. Weak cipher suites (RC4, DES, MD5-based) are also security red flags.

Common SSL Error Messages Decoded

ErrorCauseFix
Certificate expiredPast the notAfter dateRenew the certificate immediately
Certificate not yet validBefore the notBefore dateWait, or check server clock sync
Hostname mismatchCertificate doesn't cover this domainGet a certificate that includes the domain
Self-signed certificateNot issued by a trusted CAReplace with a CA-issued certificate
Incomplete chainMissing intermediate certificateInstall the full chain on the server
Mixed contentHTTPS page loads HTTP resourcesUpdate all resource URLs to HTTPS

Checking SSL From the Command Line

If you prefer the terminal, openssl gives you full certificate details:

# View certificate details for a domain
openssl s_client -connect example.com:443 -servername example.com < /dev/null 2>/dev/null | openssl x509 -text -noout

# Quick expiry check
echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -dates

# Check the full chain
openssl s_client -connect example.com:443 -showcerts < /dev/null 2>/dev/null

The browser-based SSL Checker pulls the same information without needing openssl installed — useful when you're on a machine without shell access or need to quickly check a client's site.

Checking SSL in API and curl Calls

When your application makes HTTPS requests and gets SSL errors, the error messages are often cryptic. Common ones:

# curl SSL error examples
curl: (60) SSL certificate problem: certificate has expired
curl: (60) SSL certificate problem: unable to get local issuer certificate
curl: (51) SSL: no alternative certificate subject name matches target host name

The second error — "unable to get local issuer certificate" — almost always means a missing intermediate certificate on the server. The SSL Checker will show you the chain and flag any gaps.

Quick workflow: When an HTTPS request fails unexpectedly, run the domain through the SSL Checker first. It immediately tells you if the certificate is expired, misconfigured, or has a broken chain — ruling out the most common causes before you dig deeper into application code.

Free Certificates with Let's Encrypt

If you're still paying for SSL certificates for standard websites, you don't need to. Let's Encrypt provides free, automated, 90-day certificates that are trusted by all major browsers. Most hosting providers and web servers (Nginx, Apache, Caddy) have built-in Let's Encrypt support. Caddy in particular handles certificate issuance and renewal completely automatically with zero configuration.

The short 90-day lifetime is intentional — it forces automation and limits the damage window if a certificate is compromised. Auto-renewal should be set up from day one.

SSL Security HTTP Developer Tools Free Tools

Related Articles

Developer Tips
How to Read and Debug HTTP Status Codes
6 min read
Developer Tips
How to Look Up DNS Records Online (And What They Mean)
6 min read
Developer Tips
How to Use cURL: A Beginner's Guide With Command Generator
7 min read