SSL/TLS Checker

When your browser connects to https://example.com, the server presents a certificate that proves it owns that domain. But your browser doesn't trust every certificate blindly — it only trusts a short list of root certificate authorities (Root CAs) that ship with the operating system.

A real-world SSL certificate isn't signed directly by a Root CA. Instead, there's a chain:

1. Leaf certificate — the one for your domain (*.example.com). Signed by an intermediate CA.
2. Intermediate certificate(s) — signed by the Root CA, trusted because of that signature. Can be one or two levels deep.
3. Root CA certificate — self-signed, shipped with the OS/browser. The anchor of trust.

Browsers accept the connection only if they can follow the chain from your leaf cert up to a trusted Root. If the server only sends the leaf cert without the intermediate, browsers get "NET::ERR_CERT_AUTHORITY_INVALID" — which is the single most common broken-SSL error.

Our SSL Checker above automatically walks the chain you send and tells you exactly where it breaks. Paste your hostname, click Check, and look at the "Chain" section — each level's issuer, subject and validity is rendered.

The short version: SSL is dead; TLS is what you actually use, but everyone still says "SSL certificate".

Technical timeline:

• SSL 1.0 (1994, Netscape) — never released publicly, broken at design.
• SSL 2.0 (1995) — deprecated in 2011, security flaws.
• SSL 3.0 (1996) — deprecated in 2015 after the POODLE attack.
• TLS 1.0 (1999) — renamed from SSL 3.1. Deprecated 2020.
• TLS 1.1 (2006) — deprecated 2020.
• TLS 1.2 (2008) — still widely used, considered secure.
• TLS 1.3 (2018) — current standard. Faster handshake, forward secrecy mandatory.

Modern servers should support TLS 1.2 + TLS 1.3 only. Disable everything older. Our SSL Checker shows the negotiated TLS version and flags anything below 1.2 as a critical issue.

The certificates themselves aren't different between SSL and TLS — they're X.509 certificates either way. "SSL certificate" is just the colloquial name that stuck.

SSL/TLS handshake failure = client and server couldn't agree on how to establish the secure channel. Common causes, ordered by how often we see them:

• Expired certificate — check "Valid until" in our tool. Most Let's Encrypt auto-renewals silently fail when a DNS change broke the challenge; certbot logs tell the story.
• Wrong hostname in SAN — the certificate covers www.example.com but you're connecting to example.com (or vice versa). Fix: reissue with both names in the SAN list, or add a 301 redirect at the infra layer.
• Missing intermediate certificate — server serves leaf only. Fix depends on server software: nginx needs the full fullchain.pem in ssl_certificate; Apache needs SSLCertificateChainFile; Cloudflare/Let's Encrypt bundle the chain automatically.
• TLS version mismatch — client refuses TLS 1.0/1.1 but server only offers those. Fix: enable TLS 1.2 on the server.
• Cipher suite mismatch — rare. Client and server can't find a shared cipher they both trust. Usually triggered by servers stuck on an old OpenSSL.
• SNI not configured — virtual host without SNI returns the default cert, which doesn't match the requested hostname. Fix: enable SNI on the server (default for nginx/Apache these days; Windows Server older versions needed explicit toggle).
• Firewall blocking cert-chain fetch — some outbound firewalls block AIA (Authority Information Access) URLs, so the OS can't fetch missing intermediates on the fly.

Let's Encrypt issues free 90-day SSL/TLS certificates, auto-renewed by certbot or acme.sh. For most servers:

# Ubuntu / Debian (nginx)
sudo apt install certbot python3-certbot-nginx
sudo certbot --nginx -d example.com -d www.example.com

# macOS (via Homebrew)
brew install certbot
sudo certbot --nginx -d example.com

Certbot edits your nginx config automatically, drops in the right ssl_certificate paths, and sets a systemd timer for renewal. No further action needed for 90% of sites.

Alternative: Caddy automates SSL end-to-end — you don't even run certbot. Put example.com in your Caddyfile and Caddy requests + renews the cert on your behalf. Great default for hobby projects.

For static hosting (Vercel, Netlify, Cloudflare Pages, GitHub Pages, Azure Static Web Apps) SSL is automatic and free — nothing to configure.