Is SSL the same as TLS?

Colloquially people say SSL; in practice browsers negotiate TLS (today mostly TLS 1.2 and 1.3). Certificates are often still called SSL certificates, but the protocol layer is TLS. Checking the cert does not by itself prove TLS version or cipher quality—for that, use a dedicated [TLS scanner](/tls-checker).

What certificate types should I know?

DV proves domain control only. OV and EV add organization vetting (EV is rarely distinguished in modern browsers). Wildcard certs cover one level of subdomains (*.example.com, not nested *.*). Multi-domain (SAN) certs list explicit hostnames. Choose the shape that matches how you terminate TLS—load balancers, CDNs, and Kubernetes ingress each have constraints.

What happens when a certificate expires?

Clients show interstitials or hard failures; APIs and mobile apps may break silently until someone notices monitoring alerts. Automated renewal (ACME/Let’s Encrypt, or vendor automation) with staging tests prevents most incidents. Always verify the live chain after renewal, not just the leaf dates.

How do I fix an incomplete or untrusted chain?

Install the full chain the CA provides—typically leaf plus intermediate(s)—on the terminator. Missing intermediates cause “certificate not trusted” on some clients but not others. Some platforms bundle intermediates; others require you to append them explicitly.

Why might the cert look fine but the site still fail?

Mixed content, HSTS preload with wrong names, DNS pointing to the wrong host, or a reverse proxy serving an old cert. Also check [security headers](/security-headers) and redirects. Cross-check DNS with the [DNS lookup tool](/dns-lookup) if the IP or hostname path is ambiguous.

SSL Certificate Checker - Expiry & Chain

Inspect the live HTTPS certificate: validity window, SANs, issuer, and trust chain. Catch expiry and trust issues early, before browsers and APIs start rejecting connections.

Try it now: Open the free SSL Certificate Checker - Expiry & Chain tool — no sign-up required.

Why the certificate still matters in a TLS 1.3 world

The certificate binds identities (DNS names, sometimes IPs or emails in SANs) to a public key. Browsers and libraries use that binding to authenticate the server before deriving session keys. A strong TLS configuration with a bad or mismatched certificate is worthless; conversely, a valid cert on a server with obsolete protocols is risky—so pair cert checks with a TLS checker.

What a proper inspection covers

Beyond expiry, look at key algorithm and length (RSA 2048+ or modern ECDSA curves), signature algorithm (avoid legacy SHA-1 in new deployments), and SAN coverage for every hostname and redirect target. Certificate Transparency logs (where exposed by the tool or CA) help detect mis-issuance. OCSP stapling reduces client latency and privacy leaks; absence isn’t always fatal but is a quality signal.

Types of certificates and when they fit

DV is sufficient for most SaaS and content sites if you control issuance and monitoring. Wildcard simplifies many subdomains but won’t cover the apex unless you add it explicitly or use a separate cert. Multi-SAN suits marketing sites with many branded hostnames behind one edge. Document ownership: know which account at which CA or cloud vendor actually renews each cert.

Common failure modes in production

Clock skew on VMs can make valid certs appear expired. Incomplete chains break older Android or custom Java trust stores. Name mismatches often trace to wrong DNS (DNS lookup) or a CDN CNAME pointing to a default hostname. After fixing TLS, review security headers so you are not only encrypted but also hardened against clickjacking and downgrade attacks.

Renewal automation, staging, and multi-environment drift

Production should not depend on a human calendar entry for renewal. ACME clients (including those behind managed certificates on clouds) need valid HTTP-01 or DNS-01 challenges—if someone changes A records or removes the challenge TXT, renewals fail silently until expiry. Maintain a staging pass against your CA’s test endpoint before touching production issuance scripts. Where you have blue/green clusters, confirm both active and standby terminators present the same leaf and chain; failover events expose whichever node still serves an old PKCS#12 bundle.

Enterprise MITM proxies and some antivirus products install local roots; your cert may validate in a locked-down corporate browser but fail for the open internet—always validate from external vantage points. For mTLS and internal PKI, public trust rules do not apply, but the same SAN and expiry discipline prevents midnight outages. If you rely on Certificate Transparency monitoring, set alerts on unexpected precertificates for your brand domains. After any infrastructure change, re-run this checker and the TLS scanner so identity (cert) and negotiation (protocol) stay aligned.

Frequently Asked Questions

Is SSL the same as TLS?: Colloquially people say SSL; in practice browsers negotiate TLS (today mostly TLS 1.2 and 1.3). Certificates are often still called SSL certificates, but the protocol layer is TLS. Checking the cert does not by itself prove TLS version or cipher quality—for that, use a dedicated [TLS scanner](/tls-checker).
What certificate types should I know?: DV proves domain control only. OV and EV add organization vetting (EV is rarely distinguished in modern browsers). Wildcard certs cover one level of subdomains (*.example.com, not nested *.*). Multi-domain (SAN) certs list explicit hostnames. Choose the shape that matches how you terminate TLS—load balancers, CDNs, and Kubernetes ingress each have constraints.
What happens when a certificate expires?: Clients show interstitials or hard failures; APIs and mobile apps may break silently until someone notices monitoring alerts. Automated renewal (ACME/Let’s Encrypt, or vendor automation) with staging tests prevents most incidents. Always verify the live chain after renewal, not just the leaf dates.
How do I fix an incomplete or untrusted chain?: Install the full chain the CA provides—typically leaf plus intermediate(s)—on the terminator. Missing intermediates cause “certificate not trusted” on some clients but not others. Some platforms bundle intermediates; others require you to append them explicitly.
Why might the cert look fine but the site still fail?: Mixed content, HSTS preload with wrong names, DNS pointing to the wrong host, or a reverse proxy serving an old cert. Also check [security headers](/security-headers) and redirects. Cross-check DNS with the [DNS lookup tool](/dns-lookup) if the IP or hostname path is ambiguous.

Ready to try it yourself?

Use SSL Certificate Checker - Expiry & Chain for Free