Is SSL the same as TLS?

Colloquially people say SSL; in practice browsers negotiate TLS (today mostly TLS 1.2 and 1.3). Certificates are often still called SSL certificates, but the protocol layer is TLS. Checking the cert does not by itself prove TLS version or cipher quality—for that, use a dedicated [TLS scanner](/tls-checker).

What certificate types should I know?

DV proves domain control only. OV and EV add organization vetting (EV is rarely distinguished in modern browsers). Wildcard certs cover one level of subdomains (*.example.com, not nested *.*). Multi-domain (SAN) certs list explicit hostnames. Choose the shape that matches how you terminate TLS—load balancers, CDNs, and Kubernetes ingress each have constraints.

What happens when a certificate expires?

Clients show interstitials or hard failures; APIs and mobile apps may break silently until someone notices monitoring alerts. Automated renewal (ACME/Let’s Encrypt, or vendor automation) with staging tests prevents most incidents. Always verify the live chain after renewal, not just the leaf dates.

How do I fix an incomplete or untrusted chain?

Install the full chain the CA provides—typically leaf plus intermediate(s)—on the terminator. Missing intermediates cause “certificate not trusted” on some clients but not others. Some platforms bundle intermediates; others require you to append them explicitly.

Why might the cert look fine but the site still fail?

Mixed content, HSTS preload with wrong names, DNS pointing to the wrong host, or a reverse proxy serving an old cert. Also check [security headers](/security-headers) and redirects. Cross-check DNS with the [DNS lookup tool](/dns-lookup) if the IP or hostname path is ambiguous.

SSL Certificate

v1.0.0

Validate SSL/TLS certificates and chains for any domain: check expiry, issuer, incomplete chains and weak ciphers. Inspect protocol support (TLS 1.2/1.3), HSTS and mixed content risks, and receive clear remediation steps to secure your site and avoid browser warnings.

SSL certificate information will appear here

Inspect the live HTTPS certificate: validity window, SANs, issuer, and trust chain. Catch expiry and trust issues early, before browsers and APIs start rejecting connections.

Read the full guide →

Frequently Asked Questions

Is SSL the same as TLS?: Colloquially people say SSL; in practice browsers negotiate TLS (today mostly TLS 1.2 and 1.3). Certificates are often still called SSL certificates, but the protocol layer is TLS. Checking the cert does not by itself prove TLS version or cipher quality—for that, use a dedicated [TLS scanner](/tls-checker).
What certificate types should I know?: DV proves domain control only. OV and EV add organization vetting (EV is rarely distinguished in modern browsers). Wildcard certs cover one level of subdomains (*.example.com, not nested *.*). Multi-domain (SAN) certs list explicit hostnames. Choose the shape that matches how you terminate TLS—load balancers, CDNs, and Kubernetes ingress each have constraints.
What happens when a certificate expires?: Clients show interstitials or hard failures; APIs and mobile apps may break silently until someone notices monitoring alerts. Automated renewal (ACME/Let’s Encrypt, or vendor automation) with staging tests prevents most incidents. Always verify the live chain after renewal, not just the leaf dates.
How do I fix an incomplete or untrusted chain?: Install the full chain the CA provides—typically leaf plus intermediate(s)—on the terminator. Missing intermediates cause “certificate not trusted” on some clients but not others. Some platforms bundle intermediates; others require you to append them explicitly.
Why might the cert look fine but the site still fail?: Mixed content, HSTS preload with wrong names, DNS pointing to the wrong host, or a reverse proxy serving an old cert. Also check [security headers](/security-headers) and redirects. Cross-check DNS with the [DNS lookup tool](/dns-lookup) if the IP or hostname path is ambiguous.