SSL Check: Complete Verification of Your Site's SSL/TLS Certificate

HTTPS and SSL certificates: why they are essential

HTTPS is no longer optional: since 2018 Chrome marks all HTTP sites as "Not Secure", Google penalizes sites without HTTPS in rankings, and modern APIs require secure connections. At the core of HTTPS is the SSL/TLS certificate, a digital document that binds a domain's identity to a public cryptographic key. When a browser connects to an HTTPS site, it verifies the certificate to ensure it is communicating with the legitimate server and not an impostor (man-in-the-middle).

A misconfigured SSL certificate causes browser errors that drive away visitors, compromises SEO, and can expose user data. The most common problems include: expired certificate, incomplete certification chain, hostname mismatch, obsolete TLS protocols and weak cipher suites. Our SSL Check verifies all these aspects in seconds, providing an overall grade and specific recommendations for each issue found.

What the SSL Check verifies

$ ssl-check --target esempio.com

[Grade]     A+
[Subject]   esempio.com
[Issuer]    Let's Encrypt Authority X3
[Protocol]  TLS 1.3
[Cipher]    TLS_AES_256_GCM_SHA384
[Key Size]  2048 bit RSA
[Valid]     2026-01-15 → 2026-04-15
[Days Left] 41 days
[Chain]     3 certificati (leaf → intermediate → root)
[SAN]       esempio.com, www.esempio.com, api.esempio.com

The grade ranges from A+ (optimal configuration) to F (critical issues). An A grade requires: TLS 1.2+ with secure ciphers, valid certificate with complete chain, key of at least 2048 bits, and HSTS enabled. To achieve A+ you also need HSTS preload. Grade B indicates acceptable but not optimal ciphers. C or lower means TLS 1.0/1.1 is active or weak ciphers are present — to be corrected urgently. Also check HTTP security headers with Security Headers for a complete picture.

The certification chain

An SSL certificate does not work alone: it is part of a chain of trust. Your site's certificate (leaf) is signed by an intermediate CA, which in turn is signed by a root CA present in the browser's trust store. If the chain is incomplete (an intermediate certificate is missing), some browsers show errors while others don't (because they automatically download missing intermediates). For an in-depth chain verification, use Certificate Chain which visualizes each link and identifies issues.

To check who is authorized to issue certificates for your domain, configure CAA records and verify them with CAA Record Lookup. CAA records are the DNS mechanism that limits which Certificate Authorities can issue certificates, adding a layer of protection against unauthorized issuance.

Renewal and automation

Let's Encrypt certificates last 90 days, commercial ones typically 1 year. Late renewal is the most common cause of SSL errors in production. The solution is automation: certbot and other ACME clients automatically renew Let's Encrypt certificates. For commercial certificates, set reminders at least 30 days before expiration. Monitor the expiration of your certificates regularly with SSL Check — a certificate that expires without warning is a preventable incident.

When renewing a certificate, verify that the new certificate covers all necessary SANs (Subject Alternative Names). A frequent mistake is renewing the certificate for example.com while forgetting www.example.com or api.example.com. After renewal, test immediately with SSL Check to confirm that the new certificate is served correctly, the chain is complete and the grade is unchanged.