How to Check Certificate Verification

In today’s digitally connected world, secure communication between users and websites is non-negotiable. At the heart of this security lies the SSL/TLS certificate—a digital credential that authenticates a website’s identity and enables encrypted connections. But how do you know if a certificate is valid, properly configured, and trustworthy? This is where certificate verification comes into play.

Checking certificate verification is not just a technical task for IT professionals—it’s a critical practice for website owners, developers, security auditors, and even everyday internet users concerned about privacy and data integrity. A misconfigured, expired, or fraudulent certificate can expose sensitive information, trigger browser warnings, damage brand reputation, and even result in search engine penalties.

This comprehensive guide walks you through the complete process of verifying SSL/TLS certificates. You’ll learn how to inspect certificates manually and automatically, identify common issues, apply best practices, leverage industry-leading tools, and interpret real-world examples. Whether you’re troubleshooting a browser warning or auditing your organization’s entire certificate infrastructure, this tutorial equips you with the knowledge to ensure every connection is secure and verified.

Step-by-Step Guide

1. Understanding What a Certificate Verification Check Entails

Before diving into the technical steps, it’s essential to understand what certificate verification actually checks. A valid SSL/TLS certificate must satisfy several criteria:

• Issued by a trusted Certificate Authority (CA) – The certificate must be signed by a CA recognized by major browsers and operating systems.
• Valid within its expiration window – It must not be expired or issued in the future.
• Matches the domain name – The certificate must include the exact domain (or wildcards/subdomains) being accessed.
• Chain of trust is complete – Intermediate certificates must be properly installed so the browser can trace the certificate back to a root CA.
• Uses strong cryptographic standards – Modern certificates should use SHA-256 or higher, RSA 2048-bit or ECC 256-bit keys, and avoid deprecated protocols like SSLv3.

Verification ensures all these conditions are met. Failing any one of them results in a broken or untrusted connection.

2. Verifying a Certificate Using a Web Browser

Every modern browser provides built-in tools to inspect certificates. Here’s how to do it in the most popular browsers:

Google Chrome

1. Navigate to the website you want to verify (e.g., https://example.com).

2. Click the lock icon to the left of the URL in the address bar.

3. Select “Certificate” from the dropdown menu.

4. A new window opens displaying the certificate details. Review the following tabs:

• General – Confirms the domain name, issuer, and validity period.
• Details – Shows technical information such as the public key algorithm, serial number, and signature hash.
• Certification Path – Displays the full chain: end-entity → intermediate → root. Ensure all levels are valid and trusted.

If the certificate is invalid, Chrome will display a red warning page with details about the issue (e.g., “Your connection is not private”). Click “Advanced” and then “Proceed to example.com (unsafe)” only if you fully understand the risk.

Mozilla Firefox

1. Visit the website.

2. Click the lock icon next to the URL.

3. Select “More Information” to open the Page Info window.

4. Go to the “Security” tab and click “View Certificate.”

5. Examine the same tabs as in Chrome: Details, General, and Certification Path.

Firefox also provides a “Connection Secure” message if everything is valid. If there’s a problem, it will show a detailed error such as “The certificate is not trusted because the issuer certificate is unknown.”

Microsoft Edge

Edge uses the same engine as Chrome, so the process is nearly identical:

1. Go to the website.

2. Click the lock icon in the address bar.

3. Select “Certificate” from the menu.

4. Review the certificate details under the General, Details, and Certification Path tabs.

Safari (macOS and iOS)

1. Open the website in Safari.

2. Click the lock icon in the address bar.

3. Click “Show Certificate.”

4. A popup displays the certificate information. Expand the “Trust” section to see if it’s verified by a trusted authority.

Safari is particularly strict about certificate chains. If an intermediate certificate is missing, it will display a warning even if the end certificate is valid.

3. Using Command-Line Tools: OpenSSL

For advanced users and system administrators, OpenSSL is the most powerful tool for verifying certificates directly from the terminal.

Install OpenSSL if it’s not already available on your system:

• Windows: Download from slproweb.com
• macOS: Use Homebrew: brew install openssl
• Linux: Use package manager: sudo apt install openssl (Ubuntu/Debian) or sudo yum install openssl (CentOS/RHEL)

Run the following command to fetch and verify a certificate:

openssl s_client -connect example.com:443 -servername example.com

Replace “example.com” with the target domain. This command connects to the server on port 443 and retrieves the certificate chain.

Look for these key outputs:

• Verify return code: 0 (ok) – This means the certificate chain is valid and trusted.
• subject – Confirms the domain name the certificate was issued for.
• issuer – Shows the Certificate Authority that signed the certificate.
• notBefore and notAfter – Validity dates. Ensure the current date falls within this range.
• Certificate chain – Lists all certificates in the chain. If the chain is incomplete, you’ll see only the end-entity certificate.

To extract just the certificate for further inspection:

openssl s_client -connect example.com:443 -servername example.com | openssl x509 -text -noout

This displays the full certificate details in human-readable format, including extensions like Subject Alternative Names (SANs), key usage, and extended key usage.

4. Using Online Certificate Checkers

Several free, browser-based tools automate certificate verification and provide detailed reports. These are ideal for quick audits or non-technical users.

SSL Labs (Qualys)

Visit https://www.ssllabs.com/ssltest/ and enter the domain name. SSL Labs performs an in-depth analysis, grading the server’s configuration from A+ to F. It checks:

• Certificate chain completeness
• Expiration date
• Supported protocols and ciphers
• Vulnerabilities (e.g., POODLE, Heartbleed)
• Key strength and signature algorithm
• Server configuration (HSTS, OCSP stapling)

A grade of A or higher indicates a well-configured, secure setup. Grades below B signal urgent issues requiring attention.

GlobalSign SSL Checker

https://www.globalsign.com/en/ssl-information-center/ssl-certificate-checker/ offers a simple interface to verify certificate validity, issuer, expiration, and domain coverage. It’s excellent for quick validation without technical jargon.

DigiCert SSL Certificate Checker

https://www.digicert.com/help/ allows you to paste a domain or upload a certificate file. It returns a clean report on trust status, validity, and chain integrity.

5. Checking Certificate Installation on Servers

If you manage a web server, you must verify the certificate is correctly installed. Here’s how to do it on common platforms:

Apache

Locate your SSL configuration file (typically in /etc/apache2/sites-available/default-ssl.conf or /etc/httpd/conf.d/ssl.conf).

Check these directives:

SSLCertificateFile /path/to/your_certificate.crt
SSLCertificateKeyFile /path/to/your_private.key
SSLCertificateChainFile /path/to/intermediate.crt

Ensure the paths are correct and the files exist. Use sudo apache2ctl configtest to validate syntax. Restart Apache with sudo systemctl restart apache2 after changes.

Nginx

Open your server block configuration (e.g., /etc/nginx/sites-available/default).

Verify these lines:

ssl_certificate /path/to/fullchain.pem;
ssl_certificate_key /path/to/privkey.pem;

Note: Nginx expects a combined certificate file (end-entity + intermediates) in ssl_certificate. Use sudo nginx -t to test configuration, then reload with sudo systemctl reload nginx.

Microsoft IIS

1. Open IIS Manager.

2. Select the website → “Bindings” → Edit the HTTPS binding.

3. Check the “SSL certificate” dropdown. Ensure the correct certificate is selected.

4. Click “View” to inspect the certificate details.

5. Open the Certificate Manager (certlm.msc) to verify the certificate is installed in the “Personal” store and the intermediate certificates are in the “Intermediate Certification Authorities” store.

6. Automating Certificate Monitoring

Manually checking certificates weekly is impractical for large infrastructures. Automate monitoring using scripts or services:

• Shell Script with OpenSSL – Write a script that runs openssl s_client daily and emails alerts if expiration is within 30 days.
• Prometheus + Blackbox Exporter – Monitor SSL expiration and certificate chain health as a metric.
• UptimeRobot or StatusCake – Set up SSL monitoring alerts that notify you before expiration.
• Let’s Encrypt Certbot – If using free certificates, configure auto-renewal with certbot renew --dry-run to test the process.

Example script for expiration alert:

!/bin/bash
DOMAIN="example.com"
EXPIRATION_DATE=$(echo | openssl s_client -connect $DOMAIN:443 2>/dev/null | openssl x509 -noout -enddate | cut -d= -f2)
DATE_EPOCH=$(date -d "$EXPIRATION_DATE" +%s)
TODAY_EPOCH=$(date +%s)
DAYS_LEFT=$(( (DATE_EPOCH - TODAY_EPOCH) / 86400 ))
if [ $DAYS_LEFT -lt 30 ]; then
echo "WARNING: Certificate for $DOMAIN expires in $DAYS_LEFT days."
Send email or trigger alert system
fi

Schedule this script using cron: 0 8 * * * /path/to/check_cert.sh to run daily at 8 AM.

Best Practices

1. Always Use a Full Certificate Chain

Many SSL issues stem from incomplete chains. When you receive a certificate from your CA, you typically get two files: your domain certificate and one or more intermediate certificates. The server must serve both to establish trust.

Never install only the end-entity certificate. Combine your certificate with intermediates in the correct order (end-entity first, then intermediates in hierarchy order) into a single file. Use tools like SSL Labs to verify the chain is complete.

2. Monitor Expiration Dates Religiously

Certificate expiration is the most common cause of website downtime. Even large enterprises have suffered outages due to missed renewals.

Best practices:

• Set calendar reminders 60, 30, and 7 days before expiration.
• Use automated tools (e.g., Certbot, Keyfactor, Venafi) to manage renewals.
• For Let’s Encrypt certificates, enable auto-renewal and test it quarterly.
• Keep a centralized inventory of all certificates across domains and servers.

3. Choose the Right Certificate Type

Not all certificates are equal. Choose based on your needs:

• Domain Validation (DV) – Basic encryption, quick issuance. Good for blogs, small sites.
• Organization Validation (OV) – Verifies business identity. Suitable for corporate websites.
• Extended Validation (EV) – Highest trust level, shows company name in browser bar. Ideal for e-commerce and financial services.
• Wildcard – Secures a domain and all subdomains (e.g., *.example.com).
• Multidomain (SAN) – Secures multiple domains with one certificate (e.g., example.com, shop.example.com, example.net).

Always match the certificate type to your security requirements and compliance obligations (e.g., PCI DSS requires OV or EV for payment pages).

4. Avoid Deprecated Cryptographic Standards

Older certificates using SHA-1, RSA 1024-bit keys, or SSLv3 are no longer secure and are rejected by modern browsers.

Ensure your certificates use:

• SHA-256 or SHA-384 for signatures
• RSA 2048-bit or higher, or ECC 256-bit
• TLS 1.2 or TLS 1.3 (disable SSLv3, TLS 1.0, TLS 1.1)

Use SSL Labs to check your server’s cipher suite and protocol support. Disable weak ciphers in your server configuration.

5. Implement OCSP Stapling

OCSP (Online Certificate Status Protocol) allows browsers to check if a certificate has been revoked. Without OCSP stapling, browsers must contact the CA directly, increasing latency and privacy risks.

Enable OCSP stapling on your server:

• Apache: Add SSLUseStapling on and SSLStaplingCache "shmcb:logs/ssl_stapling(128000)"
• Nginx: Add ssl_stapling on; and ssl_stapling_verify on;

Verify it’s working using SSL Labs. Stapling improves performance and enhances privacy.

6. Keep a Certificate Inventory

Large organizations often have hundreds of certificates spread across servers, cloud services, and APIs. Without an inventory, renewal is chaotic.

Create a spreadsheet or use a certificate management tool to track:

• Domain name
• Issuer
• Issued date
• Expiration date
• Server location
• Renewal method
• Contact person

Update this inventory every time you issue or renew a certificate.

7. Test Across Devices and Browsers

A certificate that works in Chrome may fail in Safari or on mobile devices due to different trust stores. Always test on:

• Windows (Chrome, Firefox, Edge)
• macOS (Safari, Chrome)
• iOS and Android devices
• Legacy systems (if applicable)

Use browser developer tools to inspect the certificate chain on each platform. Differences often reveal missing intermediates or misconfigurations.

Tools and Resources

Essential Tools for Certificate Verification

Below is a curated list of tools categorized by use case:

Online Validators

• SSL Labs (Qualys) – Industry standard for comprehensive SSL/TLS analysis. Provides detailed reports and grade ratings.
• DigiCert SSL Checker – Simple, fast, and accurate. Ideal for quick checks.
• GlobalSign SSL Checker – User-friendly interface with clear pass/fail indicators.
• SSL Shopper Certificate Checker – Offers domain coverage and chain validation in one view.

Command-Line Utilities

• OpenSSL – The definitive tool for inspecting and testing certificates. Essential for server admins.
• cURL – Use curl -vI https://example.com to see certificate details in verbose mode.
• sslyze – Python-based scanner for deep SSL/TLS analysis. Supports automated scanning and JSON output.

Monitoring and Automation

• UptimeRobot – Monitors SSL expiration and sends email/SMS alerts.
• StatusCake – Tracks SSL health, certificate chain, and performance metrics.
• Let’s Encrypt Certbot – Automates issuance and renewal of free certificates.
• Prometheus + Blackbox Exporter – Monitor certificate expiration as a time-series metric.
• Keyfactor, Venafi, DigiCert CertCentral – Enterprise-grade certificate lifecycle management platforms.

Documentation and Standards

• CA/Browser Forum Baseline Requirements – Defines industry standards for certificate issuance and validation. Essential reading for compliance.
• OWASP SSL Configuration Guidelines – Best practices for securing web servers.
• NIST SP 800-52 Rev. 2 – Government standards for TLS deployment.
• Let’s Encrypt Documentation – Excellent resource for free certificate deployment.

How to Choose the Right Tool

Choose tools based on your role and needs:

• Developers – Use browser dev tools and OpenSSL for quick checks.
• System Administrators – Use OpenSSL, sslyze, and automation scripts.
• Security Teams – Use SSL Labs, enterprise tools (Venafi), and integrate into SIEM systems.
• Non-technical Users – Use DigiCert or GlobalSign online checkers.

For organizations managing 50+ certificates, invest in a dedicated certificate management platform. Manual tracking is error-prone and unsustainable.

Real Examples

Example 1: Expired Certificate – Corporate Website Down

A mid-sized SaaS company’s main website went offline for 12 hours. Users saw “Your connection is not private” errors. The IT team discovered the SSL certificate had expired two days prior due to a missed renewal notice.

Root cause: The certificate was managed by a contractor who left the company. No inventory existed. The renewal process was manual and unmonitored.

Resolution: The team issued a new certificate immediately, updated the server, and implemented Certbot with automated renewal. They also created a centralized certificate inventory and assigned ownership.

Lesson: Automated renewal and inventory tracking prevent costly outages.

Example 2: Incomplete Certificate Chain – Mobile Users Can’t Connect

A healthcare portal worked perfectly on desktop browsers but failed on iOS devices. SSL Labs showed an “Incomplete chain” warning.

Investigation revealed the server was configured with only the end-entity certificate. The intermediate certificate from Sectigo was missing.

Resolution: The team combined the domain certificate with the intermediate certificate into a single fullchain.pem file and updated the Nginx configuration. After reload, all devices connected successfully.

Lesson: Always test on multiple platforms. iOS and Safari are stricter about certificate chains than Chrome or Firefox.

Example 3: Mismatched Domain – Subdomain Certificate Misconfiguration

A company had a certificate for www.example.com but tried to secure api.example.com with the same certificate. Browsers blocked access with “NET::ERR_CERT_COMMON_NAME_INVALID.”

The certificate only included www.example.com in its Subject Alternative Name (SAN) field. It did not cover the subdomain.

Resolution: The team purchased a wildcard certificate (*.example.com) or added api.example.com as a SAN in a new multidomain certificate.

Lesson: Always verify the SAN field matches all domains and subdomains you intend to secure. Don’t assume wildcards cover all cases.

Example 4: Weak Cipher Suite – Security Audit Failure

During a PCI DSS audit, a retail website failed because it supported TLS 1.0 and weak ciphers like RC4 and DES.

SSL Labs graded it a “C,” indicating serious vulnerabilities. The server was running an outdated Apache version with default settings.

Resolution: The team upgraded Apache, disabled weak protocols and ciphers, enabled HSTS, and retested. The new grade was A+.

Lesson: Regular security audits and cipher suite reviews are mandatory for compliance and protection against exploits.

Example 5: Self-Signed Certificate – Internal Tool Access Issue

An internal HR tool used a self-signed certificate. Employees received warnings when accessing it from company laptops. Some users clicked through warnings, creating a security risk.

Resolution: The IT team deployed the self-signed certificate to the company’s internal CA trust store via Group Policy (Windows) or MDM (macOS). Now, the certificate is trusted automatically across all devices.

Lesson: Never use self-signed certificates for public-facing services. For internal use, deploy certificates through your organization’s PKI infrastructure.

FAQs

What does “certificate not trusted” mean?

This error means the browser cannot verify the certificate’s authenticity. Common causes include an expired certificate, missing intermediate certificate, certificate issued by an untrusted CA, or a mismatch between the certificate’s domain and the URL being accessed.

Can I check a certificate without visiting the website?

Yes. You can download the certificate file (usually a .crt or .pem file) and inspect it using OpenSSL: openssl x509 -in certificate.crt -text -noout. This shows all details without requiring a live connection.

How often should I check my SSL certificate?

For critical websites, check weekly. Use automated tools to monitor expiration and chain integrity. Set alerts for 60, 30, and 7 days before expiration. Never wait until the last minute.

Do free SSL certificates work the same as paid ones?

Yes, in terms of encryption and security. Free certificates (e.g., from Let’s Encrypt) are just as secure as paid ones. The difference lies in warranty, support, validation level (DV only), and additional features like multi-domain support or extended validation (EV). For most websites, free certificates are sufficient.

Why does my certificate show as “Not Secure” even though it’s valid?

Modern browsers mark sites as “Not Secure” if they serve HTTP content (non-HTTPS) or if mixed content (HTTP resources on HTTPS pages) is present. Even with a valid certificate, ensure all resources (images, scripts, stylesheets) are loaded over HTTPS.

How do I renew an SSL certificate?

The process varies by provider:

• Let’s Encrypt: Run certbot renew (auto-renewal is recommended).
• Commercial CA: Log into your account, generate a new CSR, upload it, validate domain ownership, then download and install the new certificate.

Always test the new certificate before removing the old one.

What is the difference between a certificate and a key?

The certificate is a public file that contains your domain name, public key, issuer, and validity dates. The private key is a secret file used to decrypt data encrypted with the public key. Never share or expose your private key.

Can a certificate be revoked?

Yes. A CA can revoke a certificate if the private key is compromised, the domain is no longer under the owner’s control, or fraudulent issuance is detected. Browsers check revocation status via CRL (Certificate Revocation List) or OCSP. Enable OCSP stapling to improve revocation checking.

What happens if I don’t verify my certificate?

Unverified or misconfigured certificates lead to:

• Browser security warnings that scare away users
• Loss of SEO ranking (Google penalizes insecure sites)
• Failed PCI compliance audits
• Man-in-the-middle attacks if users bypass warnings
• Reputational damage and loss of customer trust

Verification is not optional—it’s a fundamental security requirement.

Conclusion

Checking certificate verification is a foundational skill for anyone responsible for web security, infrastructure, or digital presence. A valid, properly configured SSL/TLS certificate is not a luxury—it’s a necessity for trust, compliance, and performance. The steps outlined in this guide—from manual browser inspection to automated monitoring—provide a complete framework for ensuring your certificates are always secure and trusted.

By adopting best practices—maintaining complete certificate chains, monitoring expiration dates, using strong cryptography, and leveraging automation—you eliminate the most common causes of SSL failures. Real-world examples demonstrate how easily oversight leads to downtime, security breaches, and reputational harm. The tools available today make verification faster and more reliable than ever.

Remember: Security is not a one-time setup. It’s an ongoing discipline. Make certificate verification part of your regular operational rhythm. Set reminders, automate checks, document everything, and test across platforms. Your users, your business, and your digital reputation depend on it.

Start today. Verify one certificate. Then another. Soon, you’ll have a secure, resilient infrastructure that users can trust without a second thought.