Here’s a detailed guide on how to check if an SSL/TLS certificate is valid, including what “valid” means and the tools/methods you can use:
What “Valid” Means for an SSL Certificate
A valid SSL certificate meets several criteria:
- Not expired – The current date is within the certificate’s “valid from” and “valid until” dates.
- Issued by a trusted Certificate Authority (CA) – Browsers recognize the CA as trustworthy.
- Matches the domain – The certificate’s common name (CN) or Subject Alternative Name (SAN) includes the domain you’re visiting.
- Proper certificate chain – All intermediate certificates are installed so browsers can verify the chain up to a trusted root.
- No revocation – The certificate has not been revoked by the CA (CRL or OCSP check).
1. Browser Method (Quickest Check)
All modern browsers allow you to inspect certificates:
Steps:
- Open the website in Chrome, Firefox, Edge, or Safari.
- Click the padlock icon in the address bar.
- Click Certificate or Connection is secure → View certificate.
- Check:
- Valid from / to dates
- Issued to / issued by
- Certificate chain (intermediates)
Pros:
- Fast and easy
- Shows expiration and issuer
- Immediate visual confirmation
Cons:
- Doesn’t check revocation thoroughly
- Limited security analysis
2. Online SSL Checkers
These provide detailed certificate validation:
Popular tools:
- SSL Labs SSL Test – Shows expiration, chain issues, protocol support, vulnerabilities, and overall rating.
- SSL Checker – Quick check for validity, issuer, and expiration.
- Geekflare SSL Test – Includes certificate validity, chain, and weak cipher warnings.
Pros:
- Detailed and accurate
- Checks chain, expiration, protocols, and common vulnerabilities
Cons:
- Requires Internet access
- Free versions may have limitations for large-scale checks
3. Command-Line Tools
For administrators or developers:
a) OpenSSL
openssl s_client -connect yourdomain.com:443 -servername yourdomain.com
- Displays the server certificate, issuer, and chain.
- You can also extract expiration dates:
openssl x509 -noout -dates -in cert.pem
b) cURL
curl -Iv https://yourdomain.com
- Shows certificate info and HTTPS handshake details.
c) Nmap
nmap --script ssl-cert -p 443 yourdomain.com
- Checks expiration, issuer, and validity.
Pros:
- Detailed and scriptable
- Works for servers without a browser
Cons:
- Requires technical knowledge
4. Monitoring Tools for SSL Expiration
For ongoing monitoring, especially for multiple websites:
- Let’s Encrypt / Certbot – Reports certificate expiration and automates renewal.
- Nagios, Zabbix, or Prometheus – Can alert when SSL is near expiration.
- UptimeRobot, StatusCake, Site24x7 – Monitor SSL expiry and notify automatically.
5. Things to Check for Validity
When validating an SSL certificate:
- Expiration date – Make sure it is still valid.
- Domain match – Certificate matches the domain visited.
- Certificate chain – All intermediate certificates are installed correctly.
- Browser trust – No warnings in modern browsers.
- Revocation status – Optionally check CRL or OCSP.
Summary
- Quick check: Click the padlock in your browser.
- Detailed check: Use SSL Labs, SSL Checker, or Geekflare.
- Command-line / server check: Use OpenSSL, cURL, or Nmap.
- Ongoing monitoring: Use automated tools or scripts to alert before expiration.