SSL Certificate Checker

Disable TLS 1.0 and 1.1 on your server. Enable TLS 1.2 and 1.3. For Apache: SSLProtocol -all +TLSv1.2 +TLSv1.3. For Nginx: ssl_protocols TLSv1.2 TLSv1.3;

Check all CDN edge locations have the same certificate deployed. Verify origin server certificate matches CDN. Purge CDN cache after certificate updates. Check if geo-routing serves different origins.

CDNs and load balancers often serve different SSL certificates at different edge locations. A certificate might be properly deployed in US data centers but expired or misconfigured in European nodes. Regional mismatches can also occur during certificate renewals if not all edges are updated simultaneously. Multi-region testing catches these inconsistencies before they affect users.

An intermediate certificate bridges the trust between your SSL certificate and the root CA (Certificate Authority) in browser trust stores. Without it, browsers can't verify your certificate's authenticity, causing "connection not private" errors. Some browsers cache intermediates, so the error may appear on some devices but not others. Always include your CA's intermediate certificate bundle.

Enter your domain above to see days until expiry. You can also check manually: click the padlock in your browser's address bar, view certificate details, and look for "Valid To" date. For command line: openssl s_client -connect domain.com:443 | openssl x509 -noout -dates. Set up monitoring alerts to notify you 30+ days before expiration.

Modern servers should support TLS 1.2 and TLS 1.3. TLS 1.3 is the latest standard with improved security and faster handshakes. TLS 1.0 and 1.1 are deprecated and blocked by major browsers since 2020. If our tool shows TLS 1.0/1.1, update your server configuration immediately to maintain security and browser compatibility.

CDNs typically terminate SSL at their edge and may use their own certificates (like Cloudflare's Universal SSL) or your uploaded certificate. If certificates don't match, check: 1) CDN SSL settings for custom certificate upload, 2) Origin pull settings if using Full (Strict) mode, 3) Whether CDN cache needs purging after certificate updates. Multi-region checks help identify edge-specific certificate issues.

Your server is sending only the end-entity (leaf) certificate without intermediate certificates. Browsers need the full chain to verify trust back to a root CA. Fix by concatenating your certificate with intermediate certificates in this order: your cert → intermediate(s) → (optional root). Most CAs provide a "full chain" or "bundle" file for this purpose.

Check immediately after any certificate changes or server updates. For ongoing monitoring, weekly checks catch issues before they affect users. Critical sites should use automated monitoring with alerts. Free Let's Encrypt certificates expire every 90 days, requiring more frequent attention than annual certificates from traditional CAs.