Free SSL Certificate Checker — Security Grade, Expiry & TLS Details

The grade is calculated from three factors: TLS protocol version, key strength and days remaining. A+ (Best) — TLS 1.3, key ≥ 2048 bits, more than 30 days remaining. Optimal configuration. No action needed. A — TLS 1.3 with a strong key but expiring within 30 days, or TLS 1.2 with strong key and >30 days. Excellent — consider scheduling renewal if expiry is near. B — TLS 1.2 with a 2048-bit or stronger key. Still acceptable for most purposes but upgrading to TLS 1.3 is recommended for better performance (TLS 1.3 handshakes are ~40% faster). C — TLS 1.2 with a weaker configuration or key under 2048 bits. Action recommended: contact your hosting provider to upgrade the TLS configuration and key size. D — Certificate expires in under 7 days. Urgent action required: renew immediately to avoid visitor-blocking security warnings. F — Certificate is expired, unreachable, or self-signed on a public domain. Visitors are seeing a browser security warning right now. Renew and reinstall the certificate immediately.

SSL (Secure Sockets Layer) was the original protocol for encrypting web connections, developed by Netscape in the 1990s. It was replaced by TLS (Transport Layer Security), which is the current standard. Despite this, the industry still calls digital certificates "SSL certificates" — a legacy naming convention. Version history and status: • SSL 2.0 (1995) — Retired. Critically vulnerable. • SSL 3.0 (1996) — Retired. Vulnerable to POODLE attack. • TLS 1.0 (1999) — Deprecated by all major browsers in 2020. • TLS 1.1 (2006) — Deprecated by all major browsers in 2020. • TLS 1.2 (2008) — Still widely supported and acceptable. Minimum standard. • TLS 1.3 (2018) — Current best practice. Faster (1-RTT handshake vs 2-RTT), removes weak cipher options, mandatory forward secrecy. You should target TLS 1.3 with TLS 1.2 as a fallback for legacy clients. TLS 1.0 and 1.1 should be disabled entirely on your server. Most modern hosting platforms (Cloudflare, Nginx, Apache with OpenSSL 1.1+) support TLS 1.3 by default.

The renewal process depends on how your certificate was originally issued: Let's Encrypt (free, 90-day certificates): Most hosting panels (cPanel, Plesk, Cloudflare, Netlify, Vercel) handle Let's Encrypt renewals automatically via a cron job or ACME client. If it's not auto-renewing, run: certbot renew (on your server), or enable automatic renewal in your hosting panel settings. Commercial certificates (DigiCert, Sectigo, Comodo, etc.): 1. Generate a new CSR (Certificate Signing Request) from your server or hosting panel. 2. Submit the CSR to your certificate authority and complete domain validation. 3. Download the issued certificate files (.crt + .ca-bundle). 4. Install them via your hosting panel or server config (Nginx: ssl_certificate path; Apache: SSLCertificateFile path). 5. Reload your web server: nginx -s reload or systemctl restart apache2. 6. Verify with our SSL checker — the new expiry date should reflect the renewed term. After renewal, always re-check with our tool to confirm the new certificate is live and the grade is A or A+.

Subject Alternative Names (SANs) are the list of hostnames that a single certificate is authorised to protect. Modern certificates stopped relying on the older "Common Name" field and now use SANs exclusively for multi-domain coverage. A typical certificate might include these SANs: • example.com (the apex domain) • www.example.com (the www subdomain) • mail.example.com (the mail server) • api.example.com (an API endpoint) A wildcard certificate uses an asterisk: *.example.com. This covers every subdomain one level deep — www.example.com, api.example.com, blog.example.com — but NOT sub-subdomains like staging.api.example.com, and NOT the apex domain example.com itself (though most wildcard certificates also include example.com as a second SAN). Multi-domain (SAN/UCC) certificates can include completely different base domains in their SAN list — example.com and totally-different.com in a single certificate. This is common for SaaS platforms that serve multiple customer domains from shared infrastructure. Our SSL checker displays the complete SAN list so you can verify all hostnames are covered before going live.

Yes — HTTPS has been an official Google ranking signal since 2014, when Google announced it as a "lightweight" ranking factor. In practice, the signal is meaningful: sites without HTTPS receive a visible "Not Secure" warning in Chrome (affecting ~65% of global browser users), which increases bounce rates and damages trust — both of which hurt rankings indirectly. What matters for SEO specifically: • Valid, unexpired certificate — expired certs trigger security warnings that prevent users from accessing your site at all. • HTTPS implemented site-wide — not just the homepage. All pages should redirect HTTP to HTTPS with a 301 permanent redirect. • Consistent canonical URLs — your site should use either https://example.com or https://www.example.com consistently everywhere, not a mix. • No mixed content — all images, scripts and CSS loaded on HTTPS pages must also use HTTPS, or browsers will block or flag them. A certificate grade of B or above is sufficient for SEO purposes. The difference between A and A+ won't affect rankings, but an expired certificate (grade F) can completely de-index your site if Google's crawler can't access it.