ismycodesafe.com
← All tools

SSL/TLS Certificate Checker

Verify SSL certificate validity, expiration, protocol version, and cipher strength in seconds. No signup required.

What is SSL/TLS?

SSL/TLS is the cryptographic protocol that encrypts data between a browser and a web server. When you see the padlock icon in your address bar, your connection is protected by TLS — typically version 1.2 or 1.3. The certificate itself is an X.509 file signed by a Certificate Authority (CA) like Let's Encrypt, DigiCert, or Sectigo. It binds a public key to your domain name, proving to visitors that they're talking to your server and not an impostor.

Without TLS, everything travels in plaintext. A risk documented extensively by the IETF in RFC 8446. Passwords, cookies, form data, API tokens — all readable by anyone on the same network. A coffee-shop attacker running Wireshark can harvest credentials in seconds. TLS prevents that with a combination of asymmetric key exchange (ECDHE or RSA) and symmetric encryption (AES-GCM or ChaCha20-Poly1305). The handshake establishes a shared secret; the symmetric cipher encrypts the actual traffic at wire speed.

For more on certificate types, chain validation, and pinning strategies, read our SSL/TLS certificates guide.

What This Tool Checks

Enter any domain and our checker connects on port 443, completes a TLS handshake, and inspects the server's certificate and negotiated parameters. Here's exactly what we report:

CheckWhat it meansWhy it matters
Certificate validityWhether the cert is trusted, not expired, and matches the hostnameInvalid certs trigger browser warnings and block visitors
Expiry dateExact expiration timestamp and days remainingExpired certificates cause site outages — Netflix, Microsoft, and Equifax have all suffered this
Issuer (CA)Which Certificate Authority signed the certificateIdentifies if you're using a trusted public CA or a self-signed cert
Protocol versionNegotiated TLS version (1.2, 1.3, or older)TLS 1.0 and 1.1 are deprecated — PCI DSS requires 1.2 minimum
Cipher suiteThe specific encryption algorithm negotiatedWeak ciphers (RC4, 3DES, CBC without AEAD) are exploitable

Want to check your HTTP response headers too? Try our Header Security Checker.

TLS Versions Explained

Not all TLS versions are created equal. The protocol has evolved significantly since SSL 3.0 was published in 1996. Here's how the versions compare:

VersionYearStatusNotes
SSL 3.01996DeprecatedBroken by POODLE attack (CVE-2014-3566)
TLS 1.01999DeprecatedVulnerable to BEAST. Removed by all major browsers in 2020
TLS 1.12006DeprecatedNo known critical vulns, but lacks AEAD ciphers
TLS 1.22008SupportedSecure with AEAD ciphers. PCI DSS minimum. ~95% of web traffic
TLS 1.32018Recommended1-RTT handshake, 0-RTT resumption, mandatory forward secrecy

Our recommendation: Enable TLS 1.3 as default and keep TLS 1.2 for backward compatibility. Disable everything older. In Nginx, that's ssl_protocols TLSv1.2 TLSv1.3;

Common SSL/TLS Issues

We see these problems constantly in our scans. Some are silent until they suddenly break your site.

Expired certificate

The most common issue. Let's Encrypt certificates expire every 90 days. If your auto-renewal cron job fails silently — a misconfigured certbot timer, a DNS challenge that can't resolve, a firewall blocking port 80 — your site goes down with a full-page browser warning. Set up monitoring that alerts at 30, 14, and 7 days before expiry.

Self-signed certificate

Fine for development. Completely unacceptable for production. Browsers don't trust self-signed certs because there's no third-party verification. Visitors see a scary "Your connection is not private" warning. Use Let's Encrypt — it's free, automated, and trusted by every major browser.

Mixed content

Your page loads over HTTPS, but some images, scripts, or stylesheets are requested over HTTP. Active mixed content (scripts, iframes) gets blocked entirely. Passive mixed content (images) loads but triggers a warning. Fix by updating hardcoded http:// URLs to https:// or using protocol-relative // prefixes.

Hostname mismatch

The certificate was issued for www.example.com but your site is served from example.com(or vice versa). The fix: use a certificate with Subject Alternative Names (SANs) covering both the bare domain and the www subdomain. Let's Encrypt handles this with certbot -d example.com -d www.example.com.

Weak cipher suites

If your server still negotiates RC4, 3DES, or export-grade ciphers, attackers can decrypt traffic. The SWEET32 attack targets 64-bit block ciphers like 3DES. The FREAK and Logjam attacks exploit export-grade and 512-bit DH parameters. Modern servers should only offer AEAD ciphers: AES-128-GCM, AES-256-GCM, and ChaCha20-Poly1305.

TLS 1.0 / 1.1 still enabled

All major browsers dropped TLS 1.0 and 1.1 support in early 2020. PCI DSS 3.2.1 requires TLS 1.2 minimum for payment processing. If your server still offers these versions, you're carrying unnecessary attack surface. Disable them — the percentage of clients that need them is effectively zero in 2025.

How to Fix SSL Issues

Most SSL problems have straightforward fixes. Here's a practical checklist:

1.

Install Let's Encrypt with Certbot

Run sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com and Certbot handles certificate issuance, Nginx configuration, and sets up a systemd timer for automatic renewal. For Apache, swap --nginx with --apache.

2.

Enable auto-renewal and test it

Verify the timer is active: sudo systemctl status certbot.timer. Do a dry run: sudo certbot renew --dry-run. Set up a cron-based alert that checks expiry with openssl s_client and emails you if the certificate has fewer than 14 days left.

3.

Enable HSTS

Add the Strict-Transport-Security header with max-age=31536000; includeSubDomains; preload. This tells browsers to always use HTTPS, preventing SSL-stripping attacks. Check your headers with our HTTP Header Security Checker.

4.

Force HTTPS redirects

Configure a 301 redirect from HTTP to HTTPS at the server level. In Nginx: return 301 https://$host$request_uri;. Don't rely on application-level redirects — they run too late and may leak data on the initial request.

5.

Harden your cipher configuration

Use Mozilla's SSL Configuration Generator to produce a secure config for your specific server and OpenSSL version. Choose the "Intermediate" profile for broad compatibility or "Modern" if you only need to support recent browsers.

6.

Set a Content Security Policy

A strong CSP prevents mixed content by restricting which origins can serve resources. Use upgrade-insecure-requests to automatically rewrite HTTP sub-resource URLs to HTTPS. Generate a policy with our CSP Header Generator.

SSL/TLS and SEO

Google has used HTTPS as a ranking signal since August 2014. It started as a lightweight signal, but its importance has grown. In the 2023 documentation leak, HTTPS status appeared as one of the direct page-quality signals. Beyond rankings, there are practical effects you can measure.

  • Browser warnings kill conversion. Chrome's "Not Secure" label on HTTP pages increased bounce rates by 10-20% in A/B tests run by several e-commerce sites in 2019.
  • HTTP/2 requires HTTPS. No major browser supports HTTP/2 over plaintext. Losing HTTP/2 means losing multiplexed connections, header compression, and server push — a measurable performance hit that affects Core Web Vitals.
  • Referrer data is lost without HTTPS. When traffic goes from an HTTPS page to an HTTP page, the Referer header is stripped. Your analytics will show these visits as "direct" traffic, hiding where your users actually come from.
  • Google indexes HTTPS pages preferentially. When both HTTP and HTTPS versions of a page exist, Google canonicalizes to HTTPS. If you haven't set up proper redirects, you're splitting your link equity between two URLs.

HTTPS alone won't get you to page one. But missing it actively hurts. Pair your SSL certificate with proper HTTP security headers for the full security posture that Google expects.

Frequently Asked Questions

What is the difference between SSL and TLS?
SSL (Secure Sockets Layer) is the predecessor to TLS (Transport Layer Security). SSL 3.0 was deprecated in 2015 due to the POODLE vulnerability (CVE-2014-3566). TLS 1.0 replaced SSL 3.0 in 1999, and the current standard is TLS 1.3, published as RFC 8446 in August 2018. People still say 'SSL certificate' out of habit, but every modern certificate actually uses TLS.
How often should I renew my SSL/TLS certificate?
That depends on your certificate authority. Let's Encrypt issues certificates valid for 90 days and recommends renewing at 60 days. Commercial CAs like DigiCert and Sectigo sell 1-year certificates (the CA/Browser Forum capped public certificate lifetimes at 398 days in September 2020). Apple proposed reducing this to 45 days by 2027. Automate renewal with certbot or ACME clients to avoid unexpected expiration.
Is TLS 1.2 still secure?
Yes, TLS 1.2 remains secure when configured correctly. Disable CBC-mode ciphers and use AEAD suites like AES-256-GCM or CHACHA20-POLY1305. That said, TLS 1.3 is faster (one fewer round-trip in the handshake) and removes all legacy cipher suites by design. If your server supports it, prefer TLS 1.3 and keep TLS 1.2 as a fallback for older clients.
What causes 'certificate not trusted' browser warnings?
Four common causes: (1) Self-signed certificates that aren't in the browser's trust store. (2) Missing intermediate certificates in your server's certificate chain. The browser can't trace a path to a trusted root CA. (3) An expired certificate. (4) A hostname mismatch where the domain in the URL doesn't match the certificate's Common Name or Subject Alternative Name. Our checker verifies all four.
Does an SSL certificate improve my Google ranking?
Google confirmed HTTPS as a ranking signal in 2014 and has steadily increased its weight. Chrome marks HTTP pages as 'Not Secure' since version 68 (July 2018). While HTTPS alone won't launch you to page one, missing it actively hurts both rankings and user trust. It's table stakes for any site that wants to compete in search.
What is mixed content and why is it dangerous?
Mixed content happens when an HTTPS page loads sub-resources (images, scripts, stylesheets, iframes) over plain HTTP. 'Active' mixed content (scripts and stylesheets) is blocked by default in all modern browsers because an attacker could modify the HTTP response and inject malicious code. 'Passive' mixed content like images may still load but triggers a warning. Fix it by updating all resource URLs to HTTPS or using protocol-relative paths.
How does the TLS handshake work?
In TLS 1.3, the handshake completes in one round-trip (1-RTT). The client sends a ClientHello with supported cipher suites and key shares. The server responds with its chosen cipher, its certificate, and the finished message. All in one flight. Both sides then derive session keys from the shared secret. TLS 1.2 requires two round-trips because cipher negotiation and key exchange happen in separate steps.
What cipher suites should I use in 2025?
For TLS 1.3: TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, and TLS_AES_128_GCM_SHA256. These are the only options. TLS 1.3 eliminated all insecure choices. For TLS 1.2 fallback: prefer ECDHE key exchange with AES-GCM or ChaCha20-Poly1305. Avoid RSA key exchange (no forward secrecy), RC4 (broken), 3DES (slow, 64-bit block), and any CBC-mode cipher without encrypt-then-MAC.
What is Certificate Transparency and why does it matter?
Certificate Transparency (CT) is a public logging system (RFC 6962) where CAs must publish every certificate they issue. Browsers like Chrome require at least two Signed Certificate Timestamps (SCTs) from independent CT logs. This means if someone fraudulently issues a certificate for your domain, it shows up in public logs and you can detect it. Monitor your domains at crt.sh (https://crt.sh/) or use Google's CT search.
Can I use a free SSL certificate for production?
Absolutely. Let's Encrypt has issued over 4 billion certificates since 2015. Their DV (Domain Validation) certificates are cryptographically identical in strength to paid DV certificates. Same RSA-2048 or ECDSA P-256 keys, same browser trust. Paid certificates offer Organization Validation (OV) or Extended Validation (EV) which display the company name, plus warranty coverage and dedicated support. For most sites, Let's Encrypt is sufficient.

Related Security Tools

SSL is just one layer of your site's security. Check these related areas:

Header Security Checker

Verify HSTS, CSP, X-Frame-Options, and 10+ other HTTP security headers.

CSP Header Generator

Build a Content Security Policy that blocks mixed content, XSS, and data injection.

Cookie Analyzer

Check Secure, HttpOnly, SameSite flags and cookie security best practices.

Go Beyond SSL

SSL is critical but it's only one piece. Our full security scan runs 150+ checks including OWASP Top 10, exposed ports, CVE lookups, DNS analysis, and more — all from a single URL.

Need the full picture?

Run a complete security audit with 150+ checks, OWASP Top 10, and CVE lookup.

Run Full Scan