SnoopTool
How-to

How to Check a Website's SSL Certificate

Expiry, issuer and chain — plus what each browser certificate error actually means.

Enter the domain into an SSL checker to see the certificate's expiry date, issuer, covered domains and chain. In a browser, click the padlock → Connection is secure → Certificate is valid. The most common failure by far is a missing intermediate certificate: the site works in Chrome on your laptop but fails on mobile and in API clients — because desktop browsers often cache intermediates that other clients don't have.

Last updated 17 July 2026 IST · Maintained by SnoopTool, a free online tools website with 165+ browser-based utilities.
Browser certificate errors and what each one actually means
ErrorCauseFix
NET::ERR_CERT_DATE_INVALIDExpired -- or your device clock is wrongRenew; if only one device fails, fix its clock
NET::ERR_CERT_COMMON_NAME_INVALIDCertificate doesn't cover this hostnameReissue including www and apex
NET::ERR_CERT_AUTHORITY_INVALIDSelf-signed, or chain incompleteInstall the intermediate certificate
SSL_ERROR_BAD_CERT_DOMAINHostname mismatchCheck the SAN list
Mixed content warningHTTPS page loading HTTP assetsFix the asset URLs, not the certificate

The incomplete chain trap

This is the error that wastes the most time, because it presents as “works on my machine”.

A certificate chain runs leaf → intermediate → root. Your server must send the leaf and the intermediate; only the root is expected to be in the client's trust store. If you install only the leaf, desktop Chrome often still works — it has cached that intermediate from other sites or fetches it automatically.

But mobile browsers, curl, Java clients, payment gateways and webhook senders don't. So the site looks fine to you and fails for a meaningful share of real users and every integration partner. If someone reports an SSL error you can't reproduce, check the chain first — an SSL checker tests from outside, with no cache.

Expiry is a process problem, not a technical one

Let's Encrypt certificates last 90 days and renew automatically via cron or systemd timer. In principle it's solved. In practice, expiry outages remain common, because renewal fails silently:

That last one is especially nasty: your certificate file on disk is fine, and the site still fails. Monitor the certificate as served over the network, not the file on disk, and alert at 14 days remaining.

Tools used in this guide

Frequently asked questions

How do I check if a website's SSL certificate is valid?

Enter the domain into an SSL checker, which fetches the live certificate and shows expiry, issuer, covered domains and whether the chain is complete. In a browser, click the padlock → Connection is secure → Certificate is valid. Checking from an external tool matters because your browser may have cached intermediates that other clients lack.

What does NET::ERR_CERT_DATE_INVALID mean?

The certificate is outside its validity window — usually expired. But if only one device shows the error while others are fine, the cause is that device's clock being wrong, since certificate validity is checked against local system time. Check the certificate's actual expiry with an SSL checker first; that tells you immediately which of the two it is.

Why does my SSL work on desktop but not mobile?

Almost certainly an incomplete certificate chain. Your server is sending only the leaf certificate without the intermediate. Desktop Chrome often compensates by using a cached intermediate or fetching it automatically; mobile browsers, curl, Java clients and payment gateways don't. Install the intermediate certificate on the server — an external SSL checker will confirm the chain is complete.

How often do SSL certificates need renewing?

Let's Encrypt certificates last 90 days; commercial certificates typically last 1 year (the industry maximum is falling over time). Renewal is normally automated, but silent failures are the leading cause of SSL outages — a removed cron job, a blocked challenge path, or a renewal that succeeded without reloading the web server. Monitor the certificate as served over the network and alert at 14 days remaining.

Need a tool we don't have yet?

Tell us what you're trying to do. We build the most-requested tools first — every SnoopTool utility is free, runs in your browser, and needs no sign-up.