opdeck / blog / check-website-ssl-certificate-validity

How to Check If a Website SSL Certificate Is Valid Using OpDeck

April 17, 2026 / OpDeck Team
SSL CertificateWebsite SecurityOpDeckValidation GuideWeb Development

If you need to check if a website's SSL certificate is valid, you've come to the right place. Whether you're a site owner troubleshooting a security warning, a developer verifying a deployment, or just someone who wants to confirm a site is safe to use, this guide walks you through exactly what to look for, how to interpret SSL certificate details, and how to run a proper check using both browser tools and dedicated analyzers like OpDeck's SSL Certificate Checker.

Why Checking if a Website's SSL Certificate Is Valid Actually Matters

SSL certificates do a lot of heavy lifting in the background. They encrypt the connection between a browser and a web server, authenticate the identity of the website, and signal to visitors — and to search engines — that the site is trustworthy. When an SSL certificate is missing, expired, or misconfigured, browsers throw up scary red warning pages, users bounce, and search rankings can take a hit.

Here's the thing: SSL issues are surprisingly common. Certificates expire (usually after 90 days for Let's Encrypt or one year for commercial certificates). They get issued to the wrong domain. They're installed incorrectly, leaving the chain of trust broken. Sometimes the certificate exists but doesn't cover a subdomain the site is actually serving.

Knowing how to quickly check SSL certificate validity is a practical skill for:

  • Web developers pushing a site live or migrating domains
  • DevOps engineers monitoring production environments
  • Business owners making sure their e-commerce or lead generation site isn't turning away customers
  • Security teams auditing third-party vendors or internal services
  • Everyday users who want to verify a site before entering payment details

Let's get into the actual methods.

Method 1: Check SSL Certificate Validity in Your Browser

The fastest way to get a basic read on an SSL certificate is directly in your browser. This won't give you the deep technical details, but it's a good first pass.

Chrome

  1. Navigate to the website you want to check.
  2. Look at the address bar. If you see a padlock icon, the certificate is active and trusted by the browser.
  3. Click the padlock icon (or the "View site information" button in newer Chrome versions).
  4. Click "Connection is secure" and then "Certificate is valid".
  5. A popup will show you the certificate's issuer, the domains it covers (the Subject Alternative Names), and the expiry date.

Firefox

  1. Go to the website.
  2. Click the padlock icon in the address bar.
  3. Click "Connection secure" then "More information".
  4. In the Page Info window, click "View Certificate".
  5. Firefox opens a dedicated certificate viewer tab showing full details including validity period, fingerprint, and the certificate chain.

What to look for in the browser check:

  • Valid from / Valid to dates — Is today's date within that range?
  • Issued to — Does the domain name match the site you're visiting?
  • Issued by — Is it a recognized Certificate Authority (CA) like DigiCert, Sectigo, Let's Encrypt, or GlobalSign?
  • Certificate chain — Are all intermediate certificates present?

Browser checks are quick but limited. They won't show you cipher strength, HSTS status, protocol versions, or whether the certificate is about to expire in a few days. For that, you need a proper tool.

Method 2: Check SSL Certificate Validity with OpDeck's SSL Checker

OpDeck's SSL Certificate Checker gives you a thorough, structured analysis of any website's SSL certificate in seconds. You don't need to install anything or know OpenSSL commands — just enter a URL and get a clear report.

How to use it:

  1. Go to https://www.opdeck.co/tools/ssl
  2. Enter the full URL of the website you want to check (e.g., https://example.com)
  3. Click "Check" or press Enter
  4. Review the results

What the OpDeck SSL checker shows you:

Certificate validity status — A clear pass/fail indicator telling you whether the certificate is currently valid and trusted.

Expiry date and days remaining — Not just whether the cert is valid now, but how long until it expires. This is critical for proactive monitoring. A certificate expiring in 5 days is technically valid but practically a ticking clock.

Issuer information — The Certificate Authority that signed the certificate, along with the full issuer chain.

Domain coverage — Whether the certificate covers the exact domain (and any subdomains) you're checking. A wildcard certificate (*.example.com) covers subdomains but not the root domain unless explicitly listed.

Protocol and cipher details — What TLS version is being negotiated (TLS 1.2 vs TLS 1.3) and the cipher suite in use.

HSTS status — Whether the site sends an HTTP Strict Transport Security header, which tells browsers to always use HTTPS.

This level of detail is genuinely useful for diagnosing problems. For example, if a certificate is valid but you're still seeing browser warnings, the OpDeck report might show you a broken certificate chain — meaning the intermediate certificate isn't being served correctly.

Method 3: Check SSL Certificate Validity Using the Command Line

If you're a developer or sysadmin, you'll want to know how to do this programmatically. Here are the most useful commands.

Using curl

A quick way to check if an SSL certificate is valid and see the response:

curl -vI https://example.com 2>&1 | grep -E "SSL|certificate|expire|issuer|subject"

Or for a cleaner output showing just the certificate dates:

curl -vI https://example.com 2>&1 | grep -E "start date|expire date|issuer"

Using OpenSSL

OpenSSL gives you the most detailed certificate information from the command line:

echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -dates -subject -issuer

This outputs something like:

notBefore=Jan  1 00:00:00 2024 GMT
notAfter=Dec 31 23:59:59 2024 GMT
subject=CN=example.com
issuer=C=US, O=Let's Encrypt, CN=R3

To check the full certificate chain:

echo | openssl s_client -connect example.com:443 -showcerts 2>/dev/null

To check if a certificate will expire within the next 30 days (useful in CI/CD pipelines):

echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null \
  | openssl x509 -noout -checkend 2592000

If the certificate expires within 30 days (2592000 seconds), this returns a non-zero exit code — perfect for automated alerting.

Using nmap

nmap --script ssl-cert -p 443 example.com

This shows the certificate subject, issuer, and validity dates in a readable format.

What Makes an SSL Certificate "Valid"?

When you check if a website's SSL certificate is valid, you're actually checking several conditions simultaneously. A certificate is considered valid only when all of the following are true:

1. It hasn't expired

Every SSL certificate has a notBefore and notAfter date. If today's date is outside that range, the certificate is invalid — full stop. Browsers will show a NET::ERR_CERT_DATE_INVALID error.

2. It's issued by a trusted Certificate Authority

Browsers and operating systems maintain a list of trusted root CAs. If your certificate was issued by a CA not on that list (or a self-signed certificate), users will see an NET::ERR_CERT_AUTHORITY_INVALID warning. This is common in development environments but a serious problem in production.

3. The domain name matches

The certificate must cover the exact domain being accessed. If you have a certificate for www.example.com but a user visits example.com (without www), and the certificate doesn't include both, they'll get a NET::ERR_CERT_COMMON_NAME_INVALID error. Always check Subject Alternative Names (SANs), not just the Common Name (CN).

4. The certificate chain is complete

Intermediate certificates bridge the gap between your site's certificate and the trusted root CA. If the server isn't configured to serve the full chain, some browsers (especially on mobile) will reject the certificate even if it's technically valid. OpenSSL and tools like OpDeck's checker will flag this.

5. It hasn't been revoked

Certificate Authorities can revoke certificates before their expiry date if the private key is compromised or the certificate was issued in error. Browsers check for revocation via OCSP (Online Certificate Status Protocol) or CRL (Certificate Revocation List). A revoked certificate will trigger NET::ERR_CERT_REVOKED.

6. It uses a strong algorithm

SHA-1 signed certificates are no longer trusted by modern browsers. Valid certificates should use SHA-256 or stronger. RSA keys should be at least 2048 bits; 4096 bits is better. ECDSA certificates with 256-bit keys are also widely accepted and often faster.

Common SSL Certificate Errors and How to Fix Them

ERR_CERT_DATE_INVALID (Expired certificate)

Cause: The certificate's notAfter date has passed.

Fix: Renew the certificate. If you're using Let's Encrypt with Certbot, run:

sudo certbot renew
sudo systemctl reload nginx  # or apache2

Set up a cron job or systemd timer to auto-renew before expiry.

ERR_CERT_AUTHORITY_INVALID (Untrusted CA)

Cause: Self-signed certificate, or the CA isn't in the browser's trust store.

Fix: Replace with a certificate from a trusted CA. Let's Encrypt is free and widely trusted. For internal tools, consider setting up a private CA and distributing its root certificate to your users' devices.

ERR_CERT_COMMON_NAME_INVALID (Domain mismatch)

Cause: The certificate doesn't cover the domain being accessed.

Fix: Reissue the certificate to include all necessary domains and subdomains in the Subject Alternative Names. Most CAs let you add multiple SANs. For Let's Encrypt:

sudo certbot --nginx -d example.com -d www.example.com -d api.example.com

Incomplete certificate chain

Cause: The server isn't sending intermediate certificates.

Fix: Download the intermediate certificate bundle from your CA and configure your server to include it. For Nginx:

ssl_certificate /etc/nginx/ssl/example.com.crt;  # This should be the full chain
ssl_certificate_key /etc/nginx/ssl/example.com.key;

The .crt file should contain your certificate followed by the intermediate certificates, concatenated together.

How to Set Up SSL Certificate Monitoring

Checking a certificate once is fine; monitoring it continuously is better. Here are a few approaches depending on your setup.

Cron-based monitoring with OpenSSL

Add this to your server's crontab to alert you 30 days before expiry:

0 8 * * * openssl s_client -connect yoursite.com:443 -servername yoursite.com \
  </dev/null 2>/dev/null | openssl x509 -noout -checkend 2592000 \
  || echo "SSL cert expiring soon on yoursite.com" | mail -s "SSL Alert" [email protected]

Using OpDeck for quick manual checks

Whenever you deploy a new certificate, update a domain, or receive a user report about security warnings, run a check through OpDeck's SSL Certificate Checker. It's faster than the command line for a quick sanity check and gives you a visual, shareable report you can include in a deployment checklist or send to a client.

CI/CD integration

Add an SSL check as a post-deployment step in your pipeline. Using curl:

# In your deployment script or CI pipeline
DOMAIN="example.com"
EXPIRY=$(echo | openssl s_client -connect $DOMAIN:443 -servername $DOMAIN 2>/dev/null \
  | openssl x509 -noout -enddate | cut -d= -f2)
echo "Certificate expires: $EXPIRY"

SSL Certificates and SEO: Why Google Cares

Google has used HTTPS as a ranking signal since 2014. Beyond rankings, Chrome marks HTTP pages as "Not Secure" in the address bar — which directly impacts user trust and conversion rates. If your SSL certificate is expired or misconfigured, you're not just dealing with a security problem; you're dealing with a visibility and revenue problem.

A few things to verify from an SEO standpoint:

  • All pages are served over HTTPS, not HTTP
  • HTTP URLs redirect (301) to HTTPS equivalents
  • Your sitemap uses HTTPS URLs
  • Internal links use HTTPS
  • The canonical tag points to the HTTPS version

All of these can be audited alongside your SSL check.

Conclusion

Knowing how to check if a website's SSL certificate is valid is a fundamental skill for anyone who builds, manages, or uses websites. The process ranges from a quick browser padlock click to deep command-line inspection with OpenSSL, depending on how much detail you need.

For most situations — verifying a new deployment, diagnosing a user-reported warning, or doing a routine security review — OpDeck's SSL Certificate Checker gives you everything you need in one place, without requiring any technical setup. It's fast, thorough, and presents the results in a way that's easy to act on.

Head over to OpDeck and run a check on your site right now. If you find an issue, the details in the report will point you directly to what needs fixing. And if everything looks good, you'll have the peace of mind of knowing your certificate is solid — and a timestamp to prove it.

Try these tools

SSL Certificate

Verify SSL certificate validity and security configuration

Vulnerability Scanner

Scan WordPress and Magento sites for known vulnerabilities and security misconfigurations

Turbo Subscription

Unlock the full potential of OpDeck

Schedule reports on eligible tasks
Request new tools
Gain API access
Get priority in the queue
Already a subscriber?