Your site has an SSL certificate. Chrome shows the padlock. Everything's fine, right? Maybe. Certificate issues often develop silently: approaching expiration, chain problems, weak algorithms, misconfigured SANs. By the time you notice, visitors are seeing warning pages and leaving.
What an SSL check reveals
A thorough SSL check examines:
Certificate validity period: When was it issued? When does it expire? Let's Encrypt certificates expire after 90 days. Commercial certificates after 1-2 years (the max is now 398 days per CA/Browser Forum rules). Expiration is the most common SSL failure. Set up automated renewal and monitoring.
Certificate chain: Your server needs to send not just its own certificate but the intermediate certificates that chain up to a trusted root CA. Missing intermediate certificates cause validation failures in some browsers and devices while working fine in others (because some browsers cache intermediates).
Subject Alternative Names (SANs): The domains listed on the certificate. If your cert covers example.com and www.example.com but not api.example.com, visitors to the API subdomain see a certificate mismatch warning. Check that all your actively-used domains are covered.
Key size and algorithm: RSA keys should be at least 2048 bits. Certificates signed with SHA-1 are rejected by all modern browsers. ECDSA certificates (using P-256 or P-384) are preferred for performance.
Protocol support: TLS 1.2 and 1.3 should be enabled. TLS 1.0 and 1.1 should be disabled (they're deprecated and have known vulnerabilities). SSL 2.0 and 3.0 should absolutely be disabled.
Cipher suites: The server should prefer strong cipher suites. AEAD ciphers (AES-GCM, ChaCha20-Poly1305) over CBC mode ciphers. Forward secrecy (ECDHE key exchange) should be prioritized.
Common problems
Mixed content: Your page loads over HTTPS but includes resources (images, scripts, stylesheets) over HTTP. Modern browsers block mixed active content (scripts) and may warn about mixed passive content (images). The fix: update all resource URLs to HTTPS or use protocol-relative URLs (//).
Certificate name mismatch: The domain in the browser doesn't match any of the certificate's SANs. This happens when you add a subdomain but don't update the certificate, or when a CDN serves the wrong certificate.
Expired certificate: The most preventable error. Set up automated renewal (certbot for Let's Encrypt) and monitoring that alerts before expiration.
Incomplete chain: Server sends the leaf certificate but not the intermediates. Firefox fetches missing intermediates via AIA (Authority Information Access) but Chrome and Safari may not. Always send the full chain.
HSTS misconfiguration: HTTP Strict Transport Security tells browsers to always use HTTPS. Once set with a long max-age, you can't easily go back to HTTP. If you enable HSTS before your certificate is properly configured, browsers will refuse to connect even if you remove the HSTS header (because the browser cached it).
Automated monitoring
Check your SSL certificates at least weekly. Services like UptimeRobot, Pingdom, or a simple cron job with openssl s_client can alert you to issues:
echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -dates
This outputs the certificate's notBefore and notAfter dates. Compare notAfter to the current date and alert if it's within 14 days.
I built an SSL checker at zovo.one/free-tools/ssl-checker that examines certificate validity, chain completeness, protocol support, and cipher configuration. Enter a domain and get a complete security assessment of your HTTPS setup.
I'm Michael Lip. I build free developer tools at zovo.one. 500+ tools, all private, all free.
Top comments (1)
This is stuff vibe coders miss and then wonder why their Saas isnt working