What is an SSL certificate?

An SSL (Secure Sockets Layer) certificate is a digital certificate that authenticates a website's identity and enables an encrypted connection via TLS (Transport Layer Security). When installed, it changes a site's URL from HTTP to HTTPS and displays a padlock icon in the browser. SSL certificates contain the domain name, the certificate authority (CA) that issued it, the CA's digital signature, issue and expiry dates, and the public key.

What is the difference between SSL and TLS?

SSL (Secure Sockets Layer) is the predecessor to TLS (Transport Layer Security). SSL versions 1.0-3.0 are all deprecated due to security vulnerabilities. Modern HTTPS connections use TLS 1.2 or TLS 1.3. The term 'SSL certificate' persists in common usage, but the certificates actually enable TLS connections. TLS 1.3 is the current standard, offering faster handshakes and stronger security than older versions.

How do I fix an expired SSL certificate?

To fix an expired SSL certificate, renew it through your certificate authority or hosting provider. If you use Let's Encrypt, run 'certbot renew' to renew certificates. Most hosting providers (Cloudflare, AWS, Vercel) handle SSL renewal automatically. After renewal, restart your web server (nginx, Apache) to load the new certificate. To prevent future expirations, set up automatic renewal with cron or use a monitoring service like UptimeSignal that alerts you before certificates expire.

Yes. Google has used HTTPS as a ranking signal since 2014. Sites with valid SSL certificates rank slightly higher than HTTP-only sites. Additionally, Chrome and other browsers mark HTTP sites as 'Not Secure', which deters visitors and increases bounce rates. HTTPS is also required for HTTP/2 and HTTP/3 protocols, which improve page load speed - another SEO ranking factor.

SSL Certificate Checker - Free SSL Validation Tool

What is an SSL/TLS Certificate?

An SSL/TLS certificate is a digital document that binds a cryptographic key to an organization's identity. When installed on a web server, it activates the HTTPS protocol, enabling secure encrypted connections between the server and web browsers.

The certificate system relies on a chain of trust. Certificate Authorities (CAs) like Let's Encrypt, DigiCert, and Sectigo verify domain ownership before issuing certificates. Browsers maintain a list of trusted CAs and validate certificates against this list during the TLS handshake. If the certificate is expired, self-signed, or issued by an untrusted CA, the browser displays a security warning.

Modern TLS certificates typically use RSA 2048-bit or ECDSA P-256 keys for authentication and AES-256-GCM for data encryption. The TLS 1.3 handshake completes in just one round trip (1-RTT), or even zero round trips (0-RTT) for resumed connections, making HTTPS nearly as fast as unencrypted HTTP.

Why SSL Certificates Matter

SSL certificates encrypt the connection between your users and your website. Without a valid SSL certificate, browsers will show security warnings that scare away visitors and search engines will penalize your rankings.

Expired or misconfigured SSL certificates are a common cause of outages. Your site might be running fine, but if your SSL cert expires, browsers will block access entirely. This is why automated SSL monitoring is critical for production systems.

Common SSL Certificate Types

Type	Validation	Use Case
DV (Domain Validated)	Domain ownership only	Blogs, personal sites, APIs
OV (Org Validated)	Domain + organization	Business sites, SaaS
EV (Extended Validation)	Full legal entity verification	Banking, e-commerce
Wildcard (*.domain.com)	Covers all subdomains	Multi-subdomain apps

Check SSL Certificates in Code

Bash (OpenSSL)

# Check SSL certificate details
openssl s_client -connect example.com:443 -servername example.com \
  /dev/null | openssl x509 -noout -dates -subject -issuer

# Check expiry date only
echo | openssl s_client -connect example.com:443 2>/dev/null \
  | openssl x509 -noout -enddate

# Check days until expiry
EXPIRY=$(echo | openssl s_client -connect example.com:443 2>/dev/null \
  | openssl x509 -noout -enddate | cut -d= -f2)
echo $(( ($(date -d "$EXPIRY" +%s) - $(date +%s)) / 86400 )) days

Python

import ssl
import socket
from datetime import datetime

def check_ssl(domain, port=443):
    ctx = ssl.create_default_context()
    with ctx.wrap_socket(socket.socket(), server_hostname=domain) as s:
        s.settimeout(10)
        s.connect((domain, port))
        cert = s.getpeercert()

    expiry = datetime.strptime(cert['notAfter'], '%b %d %H:%M:%S %Y %Z')
    days_left = (expiry - datetime.utcnow()).days

    return {
        'subject': dict(x[0] for x in cert['subject']),
        'issuer': dict(x[0] for x in cert['issuer']),
        'expires': expiry.isoformat(),
        'days_left': days_left,
    }

print(check_ssl('uptimesignal.io'))

cURL

# Check SSL and show certificate info
curl -vI https://example.com 2>&1 | grep -A 6 'Server certificate'

# Fail on SSL errors (useful in CI/CD)
curl --fail --ssl-reqd https://api.example.com/health

# Check with specific TLS version
curl --tlsv1.3 -I https://example.com

Frequently Asked Questions

How often should I check my SSL certificate?

You should monitor your SSL certificate continuously. Let's Encrypt certificates are valid for 90 days and auto-renew at 30 days before expiry, but renewal can fail silently. Commercial certificates are valid for 1 year (since 2020, the maximum validity is 398 days). Use an automated monitoring service like UptimeSignal that checks your certificate on every request and alerts you 14 days before expiry, giving you time to fix any issues.

What does "certificate chain incomplete" mean?

A certificate chain error means your server is not sending the intermediate certificates needed to verify your SSL certificate. Browsers need the full chain: your certificate, plus any intermediate CA certificates, up to a trusted root CA. To fix this, configure your web server to include the full certificate chain. In nginx, concatenate your certificate with the intermediate certificates in your ssl_certificate file. In Apache, use the SSLCertificateChainFile directive.

Is Let's Encrypt good enough for production?

Yes. Let's Encrypt provides Domain Validated (DV) certificates that offer the same encryption strength as paid certificates. The encryption algorithm (AES-256, etc.) is determined by your server configuration, not the certificate type. Let's Encrypt is used by millions of production sites including major companies. The main differences with paid certificates are validation level (DV only, no OV/EV), shorter validity period (90 days vs 1 year), and no warranty. For most web applications and APIs, Let's Encrypt is the recommended choice.

How do I set up SSL on Cloudflare, AWS, or Vercel?

Cloudflare: SSL is automatic when you proxy through Cloudflare. Choose "Full (Strict)" mode to encrypt traffic end-to-end. AWS: Use ACM (AWS Certificate Manager) for free certificates and attach them to ALB, CloudFront, or API Gateway. Vercel: SSL is automatic for all deployments, including custom domains. All three platforms handle certificate renewal automatically. If you manage your own server, use Certbot with Let's Encrypt for automated certificate provisioning and renewal.

Get alerted before your SSL expires

UptimeSignal monitors SSL certificates on every check and alerts you 14 days before expiry. Never get caught by a surprise certificate outage.

Start monitoring free →

SSL Certificate Checker

What is an SSL/TLS Certificate?

Why SSL Certificates Matter

Common SSL Certificate Types

Check SSL Certificates in Code

Bash (OpenSSL)

Python

cURL

Frequently Asked Questions

Get alerted before your SSL expires

More Free Tools

Is It Down?

HTTP Status Checker

Test Endpoints