All systems operational status.ollavpn.com
Trust · Resources · Contact
FREE TOOL · LIVE CHECK · NO SIGNUP

SSL Certificate Checker

Verify any domain's SSL/TLS certificate in seconds. See who issued it, when it expires, whether it covers the hostname, and whether it's healthy enough that browsers will accept it. The same checks every visitor's browser runs automatically — surfaced so you can see them.

Running a site? Pair certificate health with the uptime checker to catch failures before users do.

Try OllaVPN Free
TL;DR

An SSL/TLS certificate is what makes the green padlock appear in your browser. It proves the site is who it says it is and lets your traffic to it be encrypted.

The four things that matter: a trusted issuer, the right hostname, an unexpired date, and a strong signature. Miss any one and browsers refuse to load the site.

Use this tool to check your own certificate health before users hit a wall of warnings, or to verify a site you're about to log into is genuinely the one you think it is.

What is an SSL certificate, really?

A small file that proves a website is who it says it is, signed by an authority your browser trusts.

When you visit an HTTPS site, the server hands your browser a certificate. The certificate says "I am example.com, here is my public key, and this signature proves an authority called Let's Encrypt (or DigiCert, Cloudflare, whoever) vouches for me." Your browser checks the signature against its built-in list of trusted authorities. If it matches, the connection is encrypted and the padlock appears. If anything is off — expired, wrong hostname, untrusted issuer — the browser refuses to load the site.

The technology is called TLS (Transport Layer Security) now. Everyone still calls it SSL because the old name stuck. Either way it's the same thing: a one-way trust chain rooted in a small list of authorities your browser ships with, used to encrypt every page you load over HTTPS.

What does the checker actually verify?

The same four things every visitor's browser checks silently, every time.

First, the issuer — the certificate has to be signed by an authority on the trusted list. Self-signed certificates fail this. Internal corporate CAs fail it on public devices. Real public CAs (Let's Encrypt, Google Trust Services, Cloudflare, DigiCert, Sectigo) pass it.

Second, the hostname coverage — the certificate has to list the exact hostname you're visiting in its Subject Alternative Name (SAN) field. A certificate for example.com that doesn't also list www.example.com will fail on the www variant. Wildcard certificates (*.example.com) cover everything one level deep.

Third, the date range — both the not-before and not-after dates have to bracket the current moment. An expired certificate is the single most common cause of preventable outages.

Fourth, the signature algorithm — old algorithms like SHA-1 are no longer trusted. Modern certificates use SHA-256 or stronger. The checker surfaces this so you can see at a glance.

Who is the issuer and why does it matter?

It's the authority that signed the certificate, and only a few of them are trusted by browsers.

There are maybe a dozen major certificate authorities and a few dozen smaller ones, all of which are heavily audited. Browsers ship with a built-in list — the root store — that decides which CAs are trusted. Let's Encrypt issues most certificates on the modern internet because it's free, automated, and trustworthy. Google Trust Services (used by Cloudflare and Google's own sites) is the other heavyweight. DigiCert and Sectigo dominate the paid market for businesses that want extended validation or longer validity.

The issuer matters operationally because each CA has different renewal flows, different validation methods, and slightly different rules. It also matters geopolitically — a few CAs have lost browser trust in the past after security incidents (DigiNotar, Symantec, China Trust). If a site's issuer is one you don't recognise, look it up before trusting the certificate.

How long is a certificate valid?

Maximum 90 days for free certificates today, with the industry moving toward 47 days by 2029.

Public certificates have shrunk dramatically in the last decade. They used to be valid for years; now most run 90 days, and Apple has proposed reducing this to 47 days by 2029 with Google and Mozilla aligned. The shorter the validity, the smaller the window of misuse if a private key leaks.

Automation makes shorter certificates manageable. Let's Encrypt with the ACME protocol handles renewal silently every 60 days. Caddy, Traefik, and Cloudflare handle it without any configuration. If you see a certificate with weeks left and no automated renewal, that's the warning sign.

Common SSL errors and what they mean

There are roughly six categories, and most are operator mistakes rather than attacks.

Expired certificate — auto-renewal failed silently. Check your ACME logs. Hostname mismatch — the certificate covers example.com but you visited www.example.com (or vice versa). Add both to your SAN list. Untrusted issuer — usually a self-signed certificate served by mistake, or an internal CA that wasn't installed on the visitor's device. Weak algorithm — old certificates signed with SHA-1 or smaller keys; just reissue. Revoked — the CA declared the certificate invalid (often after a key compromise); browsers fetch revocation lists in the background. Chain broken — the certificate is valid but the server didn't send the intermediate certificates that connect it to the trusted root. Add the intermediate bundle to your server config.

SSL vs VPN — are they the same thing?

No. SSL encrypts one site at a time; a VPN encrypts everything your device sends.

SSL/TLS protects the connection between your browser and a single specific site. When you load HTTPS gmail.com, only your traffic to Gmail is encrypted — but your ISP can see that you're talking to Gmail. A VPN sits one layer earlier: it encrypts all your device's traffic into a tunnel to a VPN server, and that server then makes requests on your behalf. Your ISP just sees encrypted traffic to the VPN — they can't tell whether you're loading Gmail, Wikipedia, or anything else.

The two work together rather than competing. Even with a VPN on, individual sites still use SSL so the VPN server can't see your passwords or messages. And with SSL alone, your ISP and any network operator between you and the server still know which sites you visit. Most privacy-aware users run both. Our free plan gives you the VPN layer for $0 forever.

Frequently asked questions

What does an SSL checker actually check?

It connects to the domain on port 443, reads the TLS certificate the server presents, and verifies four things: that the certificate is signed by a trusted authority, that it covers the hostname you asked about, that it hasn't expired, and that it hasn't been revoked. Together these tell you whether browsers will accept the certificate and load the site over HTTPS.

What is the difference between SSL and TLS?

SSL is the old name. The protocol was renamed TLS in 1999 and has gone through several major revisions since. Modern sites use TLS 1.2 or TLS 1.3. Everyone still casually calls it SSL because the old name stuck, but technically when you check a site's 'SSL certificate' you're checking its TLS certificate.

How long does a certificate stay valid?

Public certificates today max out at about 90 days. Let's Encrypt and most free issuers use that length. Paid certificates from commercial CAs can run up to 12 months, though Apple, Google, and Mozilla are pushing to shorten this to 47 days by 2029.

What happens when an SSL certificate expires?

Browsers stop trusting the site and show a full-screen warning that's nearly impossible for users to click through. The server is technically still serving traffic, but for practical purposes the site is down. Automated renewal handles this, but it occasionally fails silently. Checking 14 to 30 days in advance is the easy save.

Who is the issuer and why does it matter?

The issuer is the certificate authority that signed the certificate. Common ones include Let's Encrypt, Google Trust Services, DigiCert, Sectigo, and Cloudflare. Browsers come with a list of trusted issuers built in. If the issuer is on the list, the certificate works. If it's a self-signed certificate or signed by an unknown CA, browsers refuse it.

Can SSL hide my browsing from my ISP?

Partly. SSL encrypts what you send and receive, so your ISP can't see the contents of pages. But they can still see which domains you connect to via the SNI field in the TLS handshake and the DNS lookups your device makes. To hide the domains too you need a VPN, which routes everything through an encrypted tunnel.

Is SSL the same thing as a VPN?

No. SSL/TLS protects a single connection between you and one specific site. A VPN protects every connection from your device by routing it through an encrypted tunnel to a server you choose. SSL and VPNs solve different problems and most people benefit from using both.

Can a website fake its SSL certificate?

Not realistically. Certificates have to be signed by a trusted authority, and authorities are audited heavily. The closest practical attack is buying a real certificate for a typosquat domain and tricking users into visiting it. Browsers can't help with that — only paying attention to the URL does.

Related