Free SSL Certificate Checker
Uptime monitoring for CIS startups — verify your SSL/TLS configuration in seconds, no account required
Understanding Your SSL Certificate Report
When you run a check, Statusly opens a TCP connection to your server on port 443, performs a full TLS handshake, and parses every extension in the X.509 certificate. The resulting report breaks down each critical field so you can spot misconfigurations before your users do.
Issuer & Subject
Shows the Certificate Authority that signed the certificate and the entity it belongs to. Example: Issuer — Let's Encrypt Authority X3; Subject — CN=shop.example.com, O=Example LLC, L=Moscow, C=RU. A mismatch here usually means the wrong certificate was uploaded to the server.
Validity Period
Not Before and Not After timestamps. Let's Encrypt certificates expire after 90 days (2,592,000 seconds). If the remaining days drop below 30, enable auto-renewal via Certbot or switch to Statusly's SSL expiry monitoring to receive Slack or email alerts.
Signature Algorithm & Key Size
Modern certificates use SHA-256 with RSA 2048-bit or ECDSA P-256 keys. SHA-1 has been deprecated since 2017 and triggers warnings in Chrome 120+. RSA 1024-bit keys are actively rejected by all major browsers. Statusly flags anything below current best practices in red.
Subject Alternative Names (SANs)
Lists all hostnames covered by the certificate. A wildcard entry like *.example.com covers sub.example.com but not sub.sub.example.com. If your application serves api.example.com but the SAN list only includes example.com, browsers will show NET::ERR_CERT_COMMON_NAME_INVALID.
Certificate Chain
Displays the full chain from leaf certificate to root CA. A typical chain has three links: leaf → intermediate → root. A missing intermediate certificate is the leading cause of SEC_ERROR_UNKNOWN_ISSUER on Firefox and Android stock browsers. Statusly verifies each link's serial number and issuer hash.
TLS Protocol & Cipher Suites
Shows which protocol versions (TLS 1.2, TLS 1.3) and cipher suites the server accepts. TLS 1.0 and 1.1 were deprecated in March 2021. Statusly tests all four major protocol versions and lists negotiated ciphers in order of server preference — RC4 and 3DES suites are flagged as insecure.
Common SSL Configuration Errors
These are the misconfigurations our monitoring system catches most often across the 12,000+ hosts we track. Each entry includes the browser error you'll see and the exact fix.
ERR_CERT_DATE_INVALID
The certificate has expired or the server clock is more than 24 hours off. Fix: renew the certificate via your CA's ACME client or correct NTP sync on the server. On Ubuntu run sudo timedatectl set-ntp true. Statusly sends a notification 14 days before expiry when you add the host to your dashboard.
ERR_CERT_AUTHORITY_INVALID
The issuing CA is not trusted by the client — usually a self-signed or privately-signed certificate. Fix: replace with a certificate from a public CA (Let's Encrypt, Sectigo, DigiCert) and ensure the full chain is configured in nginx or Apache. Self-signed certs are fine for internal tools but will break every public-facing endpoint.
ERR_CERT_COMMON_NAME_INVALID
The domain the user visited does not appear in the certificate's SAN or Common Name field. Fix: reissue the certificate with the correct hostname. If you use a wildcard, remember that *.example.com does not match example.com itself — add example.com as a separate SAN entry.
SEC_ERROR_UNKNOWN_ISSUER
The intermediate certificate is missing from the server's chain configuration. Fix: concatenate the leaf cert and intermediate cert into a single PEM file. In nginx, set ssl_certificate to the combined file. In Apache, add SSLCertificateChainFile. Statusly's chain verification step pinpoints exactly which link is broken.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
The server only supports deprecated protocols (SSLv3, TLS 1.0) or weak ciphers. Fix: in nginx, set ssl_protocols TLSv1.2 TLSv1.3; and ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';. Test with Statusly to confirm only green ciphers remain.
ERR_CERT_WEAK_SIGNATURE_ALGORITHM
The certificate was signed with SHA-1, which Chrome 120+ and Safari 17+ reject outright. Fix: request a new certificate with SHA-256 or SHA-384 from your CA. If you're using a legacy CA that only offers SHA-1, switch to a modern provider. Statusly highlights the algorithm field in amber when SHA-1 is detected.
Found a certificate issue? Add your domain to Statusly and we'll monitor SSL expiry, chain integrity, and TLS configuration every 5 minutes — free for up to 5 hosts.