How to Verify an SSL Certificate Before Launch

An SSL certificate encrypts the connection between your website and its visitors, protecting login credentials, payment information, and personal data from interception. But encryption alone is not enough — a misconfigured certificate, a missing intermediate chain, or an expired renewal can trigger browser security warnings that instantly erode visitor trust. Google has used HTTPS as a ranking signal since 2014, and modern browsers display prominent “Not Secure” warnings for sites without valid SSL. Verifying your certificate before launch — and monitoring it afterward — prevents these problems and ensures your site is secure from day one.

Why SSL Certificates Matter

SSL certificates serve three critical functions for any website. First, they encrypt data in transit using TLS (Transport Layer Security), preventing attackers on the same network from reading sensitive information. Second, they authenticate your server’s identity, proving to visitors that they are connected to your actual server and not an impersonator. Third, they enable HTTP/2 and HTTP/3, which significantly improve page load performance through multiplexing and header compression.

The consequences of getting SSL wrong are immediate and measurable. According to Google’s Transparency Report, over 95% of web traffic to Google is encrypted. Visitors expect HTTPS by default, and browsers make it very clear when a site does not have it. Chrome, Firefox, Safari, and Edge all display warnings for sites with expired, self-signed, or misconfigured certificates — warnings that most users will not click through.

Digital security concept with glowing lock icon representing SSL encryption — Credit: FlyD via Unsplash

Step 1: Inspect Your SSL Certificate

Open the SSL Certificate Checker and enter your domain name. The tool connects to your server, retrieves the full certificate, and displays the details you need to verify. Review these key fields:

Certificate status — must show as valid. If it displays expired, revoked, or not yet valid, your site is showing security warnings to every visitor right now.
Issuer (Certificate Authority) — identifies who issued the certificate. Trusted CAs include Let’s Encrypt, DigiCert, Sectigo, and GlobalSign. Self-signed certificates trigger browser warnings and should never be used on production websites.
Expiry date — check when the certificate expires. Let’s Encrypt certificates last 90 days; most commercial certificates last one year. If your certificate expires within 30 days, plan your renewal immediately.
Subject Alternative Names (SANs) — the list of all domains and subdomains the certificate covers. Make sure your primary domain, the www subdomain, and any other subdomains you use are all included.
Key size — modern certificates should use at least a 2048-bit RSA key or a 256-bit ECDSA key. Anything smaller is considered weak by current standards.
Signature algorithm — should be SHA-256 or stronger. Older SHA-1 certificates are no longer trusted by any major browser.

Step 2: Verify Domain Coverage

One of the most common SSL issues is a certificate that does not cover all the domains you need. A certificate issued for example.com may not cover www.example.com, and vice versa. If a visitor types the uncovered variant, they see a security warning instead of your site.

Wildcard certificates (*.example.com) cover all subdomains but not always the root domain itself — check whether the root domain is explicitly listed in the SAN field. Multi-domain (SAN) certificates let you cover completely different domains on a single certificate, which is useful if you operate multiple brands from the same server.

Use the DNS Lookup tool to verify that all your domains resolve to the correct server IP. A DNS misconfiguration can point a subdomain to a different server that has its own certificate (or no certificate at all).

Step 3: Check the Certificate Chain

SSL certificates rely on a chain of trust. Your server certificate is signed by an intermediate CA, which is signed by a root CA that browsers trust. If any link in this chain is missing or incorrect, browsers cannot verify the certificate and will show a warning — even if the certificate itself is perfectly valid.

The most common chain issue is a missing intermediate certificate. Your server must send both your certificate and the intermediate certificate(s) during the TLS handshake. The root CA certificate does not need to be sent because it is already built into browsers and operating systems. According to Let’s Encrypt’s chain documentation, their certificates use a cross-signed intermediate that ensures compatibility with older devices.

The SSL Certificate Checker shows the complete chain and flags any missing intermediates. If the chain is incomplete, download the correct intermediate certificate from your CA’s website and install it on your web server alongside your site certificate.

Step 4: Check for Mixed Content

Mixed content occurs when your HTTPS page loads resources — images, scripts, stylesheets, fonts — over plain HTTP. This partially breaks the security of your page. Browsers handle mixed content in two ways: active mixed content (scripts, iframes) is blocked entirely, while passive mixed content (images, audio) may be loaded but triggers a warning.

Common sources of mixed content include hardcoded http:// URLs in your HTML or CSS, embedded images from HTTP sources, third-party scripts loaded over HTTP, and internal links using absolute HTTP URLs instead of HTTPS or protocol-relative paths. After installing your certificate, audit every page for mixed content. Browser developer tools (F12 > Console) will log mixed content warnings.

Use the HTTP Header Checker to verify your server sends security headers. The Strict-Transport-Security (HSTS) header tells browsers to always use HTTPS, preventing accidental HTTP connections. The Content-Security-Policy header can detect and block mixed content at the browser level.

Step 5: Test HTTPS Redirects

After installing your certificate, ensure that all HTTP requests are properly redirected to HTTPS. There are four URL variations to test for every domain on your certificate:

http://example.com should redirect to https://example.com
http://www.example.com should redirect to your canonical URL
https://example.com should either serve content or redirect to the www variant
https://www.example.com should either serve content or redirect to the non-www variant

All four should eventually land on a single canonical URL with a 301 (permanent) redirect. Temporary 302 redirects do not pass full SEO value. Use the HTTP Header Checker to verify the redirect chain and status codes for each variation.

Common SSL Issues and How to Fix Them

Issue	Symptom	Fix
Expired certificate	“Your connection is not private” warning	Renew immediately; set up auto-renewal with your CA
Missing intermediate	Works in Chrome but fails in Firefox or mobile	Install the intermediate certificate from your CA
Domain mismatch	“Certificate does not match” error	Reissue with correct SANs or use a wildcard certificate
Self-signed certificate	Browser warning on every visit	Replace with a certificate from a trusted CA like Let’s Encrypt
Mixed content	Padlock icon shows warning or disappears	Update all resource URLs to HTTPS
Weak key or algorithm	Certificate may be rejected by modern browsers	Regenerate with 2048-bit RSA or 256-bit ECDSA and SHA-256
HSTS not configured	First visit still uses HTTP before redirect	Add Strict-Transport-Security header with appropriate max-age

Ongoing SSL Monitoring

SSL verification is not a one-time task. Certificates expire, CAs revoke certificates, server configurations change during updates, and new subdomains may need coverage. Build these checks into your routine:

Monitor expiry dates — check your certificate expiry monthly, or set up automated alerts. Even with auto-renewal services like Certbot, renewals can fail silently due to DNS changes, server misconfigurations, or firewall rules blocking the CA’s validation.
Test after server changes — any change to your web server configuration (updating Apache, Nginx, or your hosting panel) can affect SSL. Run the SSL Certificate Checker after every server update.
Verify new subdomains — when you add a subdomain, ensure it is covered by your certificate. Wildcard certificates cover new subdomains automatically, but standard certificates require reissuance.
Check from multiple locations — some SSL issues only appear from certain geographic locations or network paths due to CDN configurations or regional certificate caching.
Review Certificate Transparency logs — Certificate Transparency (CT) is a public logging system that records every certificate issued for your domain. Monitoring CT logs helps you detect unauthorized certificates issued for your domain, which could indicate a compromised CA or a targeted attack. Tools like crt.sh let you search CT logs for any domain.
Plan for certificate rotation — keep documentation of your certificate setup including the CA, key type, covered domains, and renewal process. When team members change or servers are migrated, this documentation prevents gaps in SSL coverage during the transition.

Developer working on code with laptop showing web application — Credit: Luke Peters via Unsplash

Frequently Asked Questions

How do I check if my SSL certificate is valid?

Enter your domain into the SSL Certificate Checker. It connects to your server and shows the certificate status, issuer, expiry date, domain coverage, chain completeness, and key strength. If any field shows an error, the tool explains what needs to be fixed.

What causes the “Your connection is not private” browser warning?

This warning appears when the SSL certificate is expired, self-signed, issued by an untrusted CA, does not match the domain name, or has an incomplete certificate chain. The SSL Certificate Checker identifies the specific cause so you can fix it directly.

How often should I check my SSL certificate?

Check after any server configuration change, and run a monthly verification to catch upcoming expirations. If you use Let’s Encrypt with auto-renewal, verify that renewals are actually succeeding — silent failures are common when DNS or firewall configurations change.

What is the difference between DV, OV, and EV certificates?

Domain Validated (DV) certificates verify you control the domain — these are the most common and what Let’s Encrypt provides. Organization Validated (OV) certificates verify the organization’s identity. Extended Validation (EV) certificates require the most thorough vetting. All three provide the same level of encryption; they differ only in the identity verification process.

Why does my SSL work in Chrome but not Firefox or Safari?

This almost always indicates a missing intermediate certificate. Chrome can sometimes find the missing intermediate through a mechanism called AIA fetching, but Firefox and Safari require the full chain to be sent by the server. Install the intermediate certificate from your CA to fix this.

Is a free SSL certificate from Let’s Encrypt as secure as a paid one?

Yes. Let’s Encrypt certificates use the same encryption standards (RSA 2048-bit or ECDSA P-256) and TLS protocols as paid certificates. The encryption strength is identical. Paid certificates may offer warranties, extended validation, or dedicated support, but the cryptographic security is the same.

What is HSTS and should I enable it?

HSTS (HTTP Strict Transport Security) is a response header that tells browsers to always connect via HTTPS, even if the user types http://. Once a browser sees the HSTS header, it will never make an insecure connection to your domain until the max-age expires. Enable it after confirming your SSL setup is correct — an HSTS mistake with a long max-age is difficult to undo.

How do I fix mixed content warnings after installing SSL?

Find all resources loaded over HTTP by checking your browser’s developer console (F12 > Console). Update hardcoded http:// URLs to https:// or use protocol-relative URLs (//). For WordPress sites, a search-and-replace on the database from http:// to https:// for your domain usually fixes most instances.

What happens when my SSL certificate expires?

Browsers immediately show a full-page security warning that most visitors will not click through. Your site becomes effectively inaccessible to the majority of users. Search engines may also temporarily drop your rankings. Renew your certificate before expiration — most CAs allow renewal up to 30 days early without losing any validity time.

Can I use one SSL certificate for multiple domains?

Yes. Multi-domain (SAN) certificates can cover multiple completely different domains on a single certificate. Wildcard certificates cover all subdomains of a single domain. Choose based on your needs — a wildcard for subdomains of one domain, or a multi-domain certificate for different domains.

Create your free account

Get access to IP lookup tools, bulk reports, and more. Free forever.