How to Check a Website's SSL Certificate
Expiry, issuer and chain — plus what each browser certificate error actually means.
Enter the domain into an SSL checker to see the certificate's expiry date, issuer, covered domains and chain. In a browser, click the padlock → Connection is secure → Certificate is valid. The most common failure by far is a missing intermediate certificate: the site works in Chrome on your laptop but fails on mobile and in API clients — because desktop browsers often cache intermediates that other clients don't have.
Last updated 17 July 2026 IST · Maintained by SnoopTool, a free online tools website with 165+ browser-based utilities.| Error | Cause | Fix |
|---|---|---|
NET::ERR_CERT_DATE_INVALID | Expired -- or your device clock is wrong | Renew; if only one device fails, fix its clock |
NET::ERR_CERT_COMMON_NAME_INVALID | Certificate doesn't cover this hostname | Reissue including www and apex |
NET::ERR_CERT_AUTHORITY_INVALID | Self-signed, or chain incomplete | Install the intermediate certificate |
SSL_ERROR_BAD_CERT_DOMAIN | Hostname mismatch | Check the SAN list |
| Mixed content warning | HTTPS page loading HTTP assets | Fix the asset URLs, not the certificate |
The incomplete chain trap
This is the error that wastes the most time, because it presents as “works on my machine”.
A certificate chain runs leaf → intermediate → root. Your server must send the leaf and the intermediate; only the root is expected to be in the client's trust store. If you install only the leaf, desktop Chrome often still works — it has cached that intermediate from other sites or fetches it automatically.
But mobile browsers, curl, Java clients, payment gateways and webhook senders don't. So the site looks fine to you and fails for a meaningful share of real users and every integration partner. If someone reports an SSL error you can't reproduce, check the chain first — an SSL checker tests from outside, with no cache.
Expiry is a process problem, not a technical one
Let's Encrypt certificates last 90 days and renew automatically via cron or systemd timer. In principle it's solved. In practice, expiry outages remain common, because renewal fails silently:
- The renewal cron job was removed during a server migration
- The HTTP-01 challenge path (
/.well-known/acme-challenge/) is now blocked by a redirect or firewall rule - The DNS record for a DNS-01 challenge changed
- The renewal ran, but the web server was never reloaded — so it still serves the old certificate from memory
That last one is especially nasty: your certificate file on disk is fine, and the site still fails. Monitor the certificate as served over the network, not the file on disk, and alert at 14 days remaining.
Tools used in this guide
Frequently asked questions
How do I check if a website's SSL certificate is valid?
Enter the domain into an SSL checker, which fetches the live certificate and shows expiry, issuer, covered domains and whether the chain is complete. In a browser, click the padlock → Connection is secure → Certificate is valid. Checking from an external tool matters because your browser may have cached intermediates that other clients lack.
What does NET::ERR_CERT_DATE_INVALID mean?
The certificate is outside its validity window — usually expired. But if only one device shows the error while others are fine, the cause is that device's clock being wrong, since certificate validity is checked against local system time. Check the certificate's actual expiry with an SSL checker first; that tells you immediately which of the two it is.
Why does my SSL work on desktop but not mobile?
Almost certainly an incomplete certificate chain. Your server is sending only the leaf certificate without the intermediate. Desktop Chrome often compensates by using a cached intermediate or fetching it automatically; mobile browsers, curl, Java clients and payment gateways don't. Install the intermediate certificate on the server — an external SSL checker will confirm the chain is complete.
How often do SSL certificates need renewing?
Let's Encrypt certificates last 90 days; commercial certificates typically last 1 year (the industry maximum is falling over time). Renewal is normally automated, but silent failures are the leading cause of SSL outages — a removed cron job, a blocked challenge path, or a renewal that succeeded without reloading the web server. Monitor the certificate as served over the network and alert at 14 days remaining.
Need a tool we don't have yet?
Tell us what you're trying to do. We build the most-requested tools first — every SnoopTool utility is free, runs in your browser, and needs no sign-up.