How to Check Certificate Verification

In today’s digitally connected world, ensuring the authenticity and integrity of online communications is more critical than ever. Certificate verification is the backbone of secure web interactions — from logging into your bank account to submitting sensitive personal data through an e-commerce platform. At its core, certificate verification confirms that a website’s SSL/TLS certificate is valid, properly issued, and trusted by browsers and operating systems. Without this process, users are vulnerable to man-in-the-middle attacks, phishing scams, and data breaches.

Many website owners, developers, and IT administrators assume that if a padlock icon appears in the browser’s address bar, everything is secure. But that’s not always true. A certificate may be expired, misconfigured, self-signed, or issued by an untrusted authority — all of which compromise security without triggering obvious warnings. Knowing how to check certificate verification thoroughly empowers you to proactively identify and resolve these hidden risks before they impact users or your organization’s reputation.

This guide provides a comprehensive, step-by-step breakdown of how to check certificate verification across multiple platforms and tools. Whether you’re managing a small business website or overseeing enterprise infrastructure, understanding the nuances of certificate validation ensures your digital presence remains secure, compliant, and trustworthy.

Step-by-Step Guide

1. Using a Web Browser to Check Certificate Verification

The most accessible way to verify a certificate is through your web browser. Modern browsers like Google Chrome, Mozilla Firefox, Microsoft Edge, and Safari display visual indicators — such as a padlock icon — to signal secure connections. However, these indicators are only the first layer of verification. To dig deeper:

1. Open your preferred browser and navigate to the website you want to verify (e.g., https://example.com).
2. Click the padlock icon located to the left of the URL in the address bar.
3. Select “Certificate” or “Connection is secure” → “Certificate” (the exact wording varies by browser).
4. A new window will open displaying the certificate details, including the issuer, subject, validity period, and public key information.

Pay close attention to the following fields:

• Issued to: Should match the domain name you’re visiting. A mismatch here indicates a misconfigured or fraudulent certificate.
• Issued by: Must be a trusted Certificate Authority (CA) such as DigiCert, Let’s Encrypt, Sectigo, or GlobalSign. Self-signed certificates or those from obscure issuers are red flags.
• Valid from / Valid to: Check the expiration date. Certificates typically last one to two years. If the current date falls outside this range, the certificate is invalid.
• Certificate chain: Ensure the full chain is present — including intermediate certificates. Missing intermediates can cause trust issues even if the root certificate is valid.

For example, if you visit https://amazon.com and see “Issued by: DigiCert TLS RSA SHA256 2020 CA1” with a validity period extending into 2026, you can be confident the certificate is properly configured. Conversely, if you see “Issued by: Unknown” or “Self-signed,” further investigation is required.

2. Using Online SSL Checker Tools

While browsers offer a quick glance, specialized online tools provide deeper analysis. These tools examine not only the certificate itself but also server configuration, protocol support, cipher suites, and potential vulnerabilities.

Here’s how to use an SSL checker:

1. Visit a trusted SSL verification service such as SSL Labs (https://www.ssllabs.com/ssltest/), Qualys SSL Test, or SSL Shopper (https://www.sslshopper.com/ssl-checker.html).
2. Enter the full domain name (e.g., www.yourdomain.com) in the input field.
3. Click “Submit” or “Check” to initiate the scan.
4. Wait for the report to generate — this may take 30 seconds to 2 minutes depending on server response times.

The resulting report typically includes:

• Certificate Chain: Confirms whether all intermediate certificates are installed correctly.
• Expiration Date: Highlights how many days remain before renewal is required.
• Protocol Support: Lists supported TLS versions (e.g., TLS 1.2, TLS 1.3). Older protocols like SSL 3.0 or TLS 1.0 should be flagged as insecure.
• Cipher Suites: Evaluates encryption strength. Weak ciphers like RC4 or DES should be avoided.
• Trust: Indicates whether the certificate is trusted by major browsers and operating systems.
• Warnings and Errors: Lists specific issues such as mismatched domain names, revoked certificates, or incomplete chains.

For instance, SSL Labs assigns an overall grade (A+ to F). A site with an “A+” rating has a properly configured certificate, strong encryption, and no known vulnerabilities. A “B” or lower suggests configuration issues that need immediate attention.

3. Checking Certificate Verification via Command Line (OpenSSL)

For advanced users and system administrators, command-line tools offer granular control and automation capabilities. OpenSSL is the most widely used utility for inspecting SSL/TLS certificates directly from a terminal.

To check a certificate using OpenSSL:

1. Open your terminal or command prompt.
2. Enter the following command: openssl s_client -connect example.com:443 -servername example.com
3. Press Enter. The output will include detailed certificate information.
4. To extract only the certificate data, use: openssl s_client -connect example.com:443 -servername example.com | openssl x509 -noout -text

The output will display:

• Subject and Issuer details
• Validity period (Not Before / Not After)
• Public key algorithm and size (e.g., RSA 2048-bit or ECDSA 256-bit)
• Signature algorithm (e.g., SHA256 with RSA)
• Extensions such as Subject Alternative Names (SANs)

Look for:

• Whether the domain appears in the Subject Alternative Name field — essential for multi-domain or wildcard certificates.
• Whether the certificate uses SHA-256 or stronger hashing. SHA-1 certificates are deprecated and considered insecure.
• Whether the certificate chain is complete. If you see “Verify return code: 21 (unable to verify the first certificate),” the server is missing intermediate certificates.

To verify a locally stored certificate file (e.g., a .crt or .pem file), use: openssl x509 -in certificate.crt -text -noout

4. Verifying Certificate Revocation Status

Even if a certificate is valid and properly issued, it may have been revoked due to compromise, misissuance, or key exposure. Two primary methods exist to check revocation status: Certificate Revocation Lists (CRLs) and Online Certificate Status Protocol (OCSP).

To check revocation via OCSP using OpenSSL:

1. First, extract the OCSP responder URL from the certificate. Use: openssl x509 -in certificate.crt -noout -ocsp_uri
2. Then, query the OCSP server: openssl ocsp -issuer issuer.crt -cert certificate.crt -url [OCSP_URL] -no_nonce

Alternatively, use online tools like SSL Labs, which automatically test OCSP and CRL revocation status and report whether the certificate has been revoked.

A certificate marked as “revoked” must be immediately replaced. Continuing to use a revoked certificate exposes users to security risks and may trigger browser warnings.

5. Checking Certificate Installation on Multiple Servers

If your website is hosted across multiple servers (e.g., load-balanced environments, CDNs, or regional data centers), each server must have the correct certificate installed. A misconfiguration on just one server can cause intermittent security warnings for users.

To verify consistency:

1. Use an SSL checker tool and test multiple endpoints (e.g., www.yourdomain.com, api.yourdomain.com, m.yourdomain.com).
2. Use a script to automate checks across IP addresses or hostnames. Example using Bash and OpenSSL:

!/bin/bash
domains=("example.com" "www.example.com" "api.example.com")
for domain in "${domains[@]}"; do
echo "Checking $domain..."
openssl s_client -connect $domain:443 -servername $domain 2>/dev/null | openssl x509 -noout -subject -issuer -dates
done

Compare the output across all servers. Any discrepancies in issuer, expiration date, or SANs indicate misconfigurations requiring correction.

6. Validating Certificate for Wildcard and Multi-Domain Certificates

Wildcard certificates (e.g., *.example.com) and Multi-Domain (SAN) certificates simplify management but introduce complexity in verification.

For wildcard certificates:

• Ensure the certificate covers all subdomains you intend to secure (e.g., mail.example.com, blog.example.com).
• Verify that the common name (CN) is listed as *.example.com and not just example.com.
• Test subdomains individually using the methods above. Some servers may not be configured to present the wildcard certificate correctly.

For Multi-Domain (SAN) certificates:

• Use the OpenSSL command: openssl x509 -in cert.crt -text -noout | grep -A1 "Subject Alternative Name"
• Confirm all domains listed under DNS: are correct and fully qualified.
• Check that the certificate includes both www and non-www versions if needed.

Failure to include a domain in the SAN field will result in browser warnings, even if the certificate is otherwise valid.

Best Practices

1. Automate Certificate Monitoring

Manually checking certificates once a month is insufficient. Certificates expire unexpectedly, and human error can lead to lapses. Implement automated monitoring using tools like:

• Let’s Encrypt + Certbot — Automatically renews certificates before expiration.
• Prometheus + Blackbox Exporter — Monitors certificate expiration dates and triggers alerts.
• Uptime Robot or Datadog — Sends notifications when a certificate is within 30 days of expiry.

Set up alerts at 60, 30, and 7 days before expiration to ensure ample time for renewal.

2. Use Trustworthy Certificate Authorities

Always obtain certificates from reputable Certificate Authorities (CAs) recognized by major browsers and operating systems. Avoid self-signed certificates in production environments. While they’re useful for testing, they trigger browser warnings and erode user trust.

Popular trusted CAs include:

• Let’s Encrypt (free, automated)
• DigiCert
• GlobalSign
• Sectigo
• GoDaddy

Verify that your CA is listed in the root certificate store of major platforms (Windows, macOS, iOS, Android, Linux).

3. Install Full Certificate Chains

Many certificate issuers provide only the end-entity certificate. However, browsers require the full chain — including intermediate certificates — to establish trust. Failing to install intermediates results in “untrusted certificate” errors on some devices.

Always combine your certificate with the intermediate bundle provided by your CA. For example:

• Concatenate your certificate + intermediate certificate(s) into a single file: cat your_domain.crt intermediate.crt > fullchain.crt
• Configure your web server (Apache, Nginx, IIS) to serve the fullchain.crt file, not just your domain certificate.

4. Enforce Strong Encryption Standards

Ensure your server uses modern cryptographic standards:

• Use TLS 1.2 or higher. Disable SSLv3, TLS 1.0, and TLS 1.1.
• Prefer ECDHE key exchange for forward secrecy.
• Use RSA keys of at least 2048 bits or ECDSA keys of 256 bits or higher.
• Disable weak cipher suites like RC4, 3DES, and DES.

Use tools like SSL Labs to audit your configuration and apply recommendations from the “Configuration” section of the report.

5. Regularly Audit Certificate Usage

Organizations often accumulate unused or forgotten certificates across servers, applications, and APIs. These become security liabilities over time.

Perform quarterly audits to:

• Identify and remove stale certificates.
• Update certificates on legacy systems.
• Document which certificate is used where (use a certificate inventory spreadsheet or CMDB tool).

6. Implement Certificate Transparency (CT)

Certificate Transparency is an open framework that logs all issued certificates in public, append-only logs. This prevents rogue CAs from issuing certificates without detection.

To verify CT compliance:

• Check if your certificate is logged using https://crt.sh/ — enter your domain name and see if it appears in the results.
• Ensure your CA is CT-compliant (most reputable CAs are).
• Modern browsers (Chrome, Safari) require CT logging for extended validation (EV) and some OV certificates.

CT logs provide an additional layer of accountability and help detect misissuance or malicious certificates.

7. Educate Your Team

Security is only as strong as the people enforcing it. Train developers, DevOps engineers, and system administrators on:

• How to interpret certificate errors.
• The importance of certificate renewal timelines.
• How to properly install and configure certificates on different platforms.

Document internal procedures for certificate issuance, renewal, and revocation. Create checklists to ensure consistency.

Tools and Resources

Essential Online Tools

• SSL Labs (SSL Server Test) — https://www.ssllabs.com/ssltest/ — Industry-standard analysis tool with detailed grading and configuration recommendations.
• SSL Shopper Certificate Checker — https://www.sslshopper.com/ssl-checker.html — Simple interface for quick certificate verification.
• DigiCert SSL Installation Diagnostics Tool — https://www.digicert.com/help/ — Validates certificate installation and chain completeness.
• Let’s Encrypt Certificate Lookup — https://crt.sh/ — Search public Certificate Transparency logs to verify issuance and detect unauthorized certificates.
• SecurityHeaders.io — https://securityheaders.com/ — While not focused on certificates, it checks HTTP security headers that complement SSL/TLS security.

Command-Line Tools

• OpenSSL — The standard for inspecting and managing certificates. Available on Linux, macOS, and Windows (via WSL or Cygwin).
• cURL — Use curl -vI https://example.com to view certificate details in verbose mode.
• TestSSL.sh — https://github.com/drwetter/testssl.sh — Open-source command-line tool for comprehensive SSL/TLS testing.
• Nmap with ssl-cert script — nmap --script ssl-cert -p 443 example.com — Scans for SSL certificates on remote hosts.

Monitoring and Automation Platforms

• Certbot — Automates certificate issuance and renewal for Let’s Encrypt.
• HashiCorp Vault — Centralized secrets management including certificate lifecycle control.
• Prometheus + Alertmanager — Monitor certificate expiration via blackbox exporter and trigger alerts.
• Ansible / Terraform — Automate certificate deployment across infrastructure as code.

Documentation and Standards

• CA/Browser Forum Baseline Requirements — https://cabforum.org/ — Defines industry standards for certificate issuance and validation.
• NIST Cybersecurity Framework — https://www.nist.gov/cyberframework — Includes guidance on cryptographic practices.
• OWASP Transport Layer Protection Cheat Sheet — https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html — Best practices for securing communications.

Real Examples

Example 1: Expired Certificate Causes Downtime

A mid-sized e-commerce company noticed a sudden drop in sales. Upon investigation, customers reported “Your connection is not private” warnings when attempting to checkout. A quick check using SSL Labs revealed the certificate expired three days prior. The IT team had assumed automatic renewal was enabled, but the Certbot cron job had failed silently due to a misconfigured path. The issue was resolved by manually renewing the certificate and fixing the automation script. The company implemented a weekly alert system and now avoids similar incidents.

Example 2: Missing Intermediate Certificate

A government agency deployed a new web portal using a certificate from a reputable CA. The site worked perfectly on their internal network but failed on external devices. SSL Labs reported “Chain issues: Missing intermediate.” The problem? The server administrator installed only the end-entity certificate and ignored the intermediate bundle. After downloading and concatenating the correct chain file from the CA’s website, the site passed all trust checks and became fully accessible.

Example 3: Wildcard Certificate Misconfiguration

A SaaS provider used a wildcard certificate (*.company.com) for all subdomains. However, when users accessed app.company.com, browsers displayed a certificate error. The issue? The certificate was issued for *.company.com, but the DNS record pointed to app.company.com. The problem was not the certificate itself — it was that the server was serving a different certificate (a self-signed one) for the app subdomain. After reconfiguring the web server to serve the correct wildcard certificate, the issue was resolved.

Example 4: Revoked Certificate Detected via OCSP

A financial institution’s API gateway began returning intermittent 502 errors. A security audit using SSL Labs revealed the certificate had been revoked due to a compromised private key. The CA had issued a revocation notice, but the server had not been updated. The team immediately replaced the certificate, rotated the private key, and reviewed their key storage policies to prevent future exposure.

Example 5: Certificate Transparency Violation

During a routine audit, a developer discovered a certificate for their domain had been issued by an unknown CA and was logged in Certificate Transparency logs. This indicated a potential compromise or misissuance. The company contacted their primary CA, who confirmed the certificate was fraudulent. The domain was added to a revocation list, and the company strengthened their domain control validation (DCV) procedures to prevent future unauthorized issuance.

FAQs

What happens if a certificate is not verified?

If a certificate fails verification, browsers display warning messages such as “Your connection is not private,” “This site’s certificate is not trusted,” or “NET::ERR_CERT_AUTHORITY_INVALID.” Users may be blocked from accessing the site, leading to loss of trust, reduced conversions, and potential compliance violations.

Can I check a certificate for a site that requires login?

Yes, but you must use tools that support authentication. For example, use cURL with cookies or headers: curl -H "Cookie: session=abc123" https://example.com. Alternatively, test the certificate on the login page before authentication, as the certificate is presented before any session data is exchanged.

How often should I check my SSL certificate?

At minimum, check monthly. For critical systems, use automated monitoring with alerts at 60, 30, and 7 days before expiration. Many organizations now automate renewal entirely using tools like Certbot.

Why does my certificate show as “Not Secure” even though it’s valid?

This typically occurs when the site serves mixed content (HTTP resources on an HTTPS page), the certificate is not installed on all server instances, or the domain name doesn’t match the certificate’s Common Name or SANs. Use browser developer tools (Network tab) to identify insecure resources.

Are free certificates as secure as paid ones?

Yes. Certificates from Let’s Encrypt and other free CAs use the same encryption standards as paid certificates. The difference lies in additional services like warranty coverage, extended validation (EV), and customer support — not in security strength.

What’s the difference between DV, OV, and EV certificates?

• DV (Domain Validation): Verifies domain ownership only. Fast and free. Suitable for blogs and small sites.
• OV (Organization Validation): Verifies domain ownership and organizational identity. Displays organization name in certificate details. Used by businesses.
• EV (Extended Validation): Rigorous identity verification. Historically displayed the organization name in the address bar (now mostly hidden in modern browsers). Still used in finance and government sectors for trust signaling.

All three provide the same level of encryption. Choose based on your trust and branding needs.

How do I renew an SSL certificate?

Renewal steps:

1. Generate a new Certificate Signing Request (CSR) on your server.
2. Submit the CSR to your Certificate Authority.
3. Complete domain validation (via email, DNS, or file upload).
4. Download the new certificate and intermediate bundle.
5. Install the new certificate on your server, replacing the old one.
6. Restart your web server and verify using an SSL checker.

Can I use the same certificate on multiple servers?

Yes, as long as the private key is securely copied to each server. Ensure the certificate includes all domains used across servers (via SANs). Never share private keys over unsecured channels.

What is a certificate fingerprint, and why does it matter?

A certificate fingerprint is a unique hash (SHA-1 or SHA-256) of the certificate’s contents. It’s used to verify the certificate’s integrity without downloading the entire file. You can compare fingerprints across servers to confirm they’re using the same certificate. Use: openssl x509 -in cert.crt -sha256 -fingerprint -noout

Conclusion

Checking certificate verification is not a one-time task — it’s an ongoing responsibility for anyone managing digital infrastructure. A valid, properly configured SSL/TLS certificate is the foundation of secure, trustworthy online interactions. Failing to monitor, renew, or correctly install certificates exposes your users to security risks and damages your brand’s credibility.

This guide has provided you with actionable, step-by-step methods to verify certificates across browsers, command-line tools, and automated platforms. You’ve learned how to interpret certificate details, identify common misconfigurations, and implement best practices that align with industry standards.

Remember: The padlock icon is not a guarantee of security — it’s merely the starting point. True security comes from diligence, automation, and continuous validation. By adopting the tools and practices outlined here, you ensure your websites and services remain protected, compliant, and trusted by users worldwide.

Start today. Check one certificate. Automate one process. Your users — and your reputation — will thank you.