Network Diagnostic Tools

SSL Certificate Check

Inspect a site's TLS certificate and expiry

What is an SSL certificate?

A site's TLS certificate proves its identity and encrypts traffic between the browser and server. An expired, self-signed or mismatched certificate breaks trust and triggers browser warnings that drive visitors away. IPeek connects directly to the host, reads the live certificate, and reports its issuer, validity window, days remaining, the names it covers and any problems it finds.

How a TLS certificate proves identity

During the TLS handshake the server presents a certificate signed by a trusted Certificate Authority. The browser checks that the certificate's name matches the hostname, that the signing chain leads to a root it trusts, and that the current date falls inside the validity window. If all three pass, the connection is encrypted and the padlock appears. "SSL" is the common name people still use, but the actual protocol has been TLS for years. IPeek performs this same handshake, then reports what the server returned instead of just rendering a padlock.

How to read your certificate results

Start with days remaining: anything under 30 means renew soon, and a negative value means the certificate is already expired and visitors see warnings now. Check the issuer to confirm it is a real CA, not a self-signed placeholder. The Subject Alternative Name (SAN) list shows every hostname the certificate covers, so a certificate for example.com that omits www.example.com will fail on that variant. Finally, confirm the chain is complete; a missing intermediate certificate validates in some clients but breaks in others.

Common certificate problems and how to fix them

The most frequent failure is simple expiry, fixed by renewing and reloading the web server. A name mismatch means the hostname is not in the SAN list, so reissue with the correct names or add a wildcard. "Self-signed" or "untrusted issuer" errors mean the certificate chain does not reach a trusted root, usually because the intermediate certificate was not installed alongside the leaf. After any fix, recheck with IPeek to confirm the live certificate served on the wire matches what you intended, since stale certificates often linger in load balancers and CDNs.

When you need an SSL certificate check

Run a check before launch and whenever you migrate hosting, change CDNs, or rotate certificates, since these are the moments mismatches and missing chains appear. Set a reminder ahead of the expiry date, especially for certificates not on automated renewal. It is also the fastest way to diagnose a visitor reporting a browser security warning: the check tells you immediately whether the problem is expiry, a name mismatch, or a broken chain, so you can act instead of guessing.

Frequently asked questions

What is the difference between SSL and TLS?

They refer to the same job, but TLS is the current protocol. SSL was the original encryption standard; it was superseded by TLS, and every modern "SSL certificate" actually uses TLS. The name SSL stuck because it is familiar, so tools and vendors still say SSL while the connection itself negotiates TLS 1.2 or 1.3.

How do I know when my SSL certificate expires?

Check the certificate's validity window, which has a fixed "not after" date. IPeek reads the live certificate and reports days remaining, so you see at a glance whether it is current. Renew before that date; certificates issued by Let's Encrypt last 90 days, while commercial certificates often run one year.

Why does my browser say the certificate is not trusted?

An untrusted warning usually means the signing chain does not reach a root your browser recognizes. The common causes are a self-signed certificate, a missing intermediate certificate, or an expired certificate. Install the full chain (leaf plus intermediates) on the server, or reissue from a trusted CA, then recheck that the served certificate validates cleanly.

What are SAN names on a certificate?

Subject Alternative Names are the list of hostnames a single certificate is valid for. A certificate is only trusted for names in its SAN list, so example.com and www.example.com must both appear, or one variant will throw a name-mismatch error. Wildcard entries like *.example.com cover all subdomains at one level.

Can I check a certificate without visiting the site?

Yes. IPeek connects directly to the host over TLS, reads the certificate the server presents, and reports the issuer, dates, SAN names and chain without you opening the site in a browser. This is useful for checking a host before launch, behind a redirect, or when you only have the domain and want to verify it serves a valid certificate.

Related tools

Deutsch | English | Español | Français | Italiano | Português | Русский | Українська | 日本語 | 简体中文 | 한국어