How to check your SSL/TLS certificate

By the zmam.ai team · 29 May 2026

Your TLS certificate — still universally called an “SSL certificate,” years after SSL itself was retired — is the most public part of your security posture. It proves your site’s identity and encrypts every visitor’s traffic, and when it goes wrong the browser does not whisper: it throws a full-page warning in front of every person who tries to visit. The good news is that because it is public, you can inspect it in seconds.

In the browser

Load your site over https://, click the padlock or site-info icon, and view the certificate. Three fields tell you most of what you need:

• Validity dates — when it was issued and when it expires.
• Subject and SANs — the exact hostnames it covers, including www and any subdomains.
• Issuer — the certificate authority that signed it.

From the command line

OpenSSL prints the same details and is handy for scripting:

openssl s_client -connect example.com:443 -servername example.com < /dev/null \
  | openssl x509 -noout -dates -subject -issuer

The problems that actually bite

• Expiry. The single most common, most embarrassing outage in tech. Automate renewal so it cannot happen.
• Name mismatch. The certificate does not cover the exact hostname being visited — it covers example.com but the visitor typed www.example.com.
• Incomplete chain. The server omits intermediate certificates, so some clients cannot verify it even though it works in your browser.
• Weak protocols. TLS 1.0 and 1.1 are deprecated and should be disabled in favour of 1.2 and 1.3.
• A self-signed certificate in production. Trusted by nobody.

Why “is it expired?” is no longer enough

The certificate world is moving fast in one direction: shorter lifetimes. In April 2025 the CA/Browser Forum approved a schedule that ratchets the maximum certificate validity down from the long-standing ~398 days to 200 days in 2026, 100 days in 2027, and just 47 days by 2029. Manual renewal is becoming impossible by design; automation (via the ACME protocol) is becoming mandatory in practice.

Trust itself can also shift underneath you. In 2025, Google’s Chrome moved to distrust certificates newly issued by certain authorities after a compliance history it judged inadequate — meaning a perfectly valid certificate can become a browser warning because of decisions made about its issuer. Checking only “is it expired?” misses both of these.

How zmam.ai helps

zmam.ai inspects the certificate your server presents and flags expiry, name mismatches, weak protocol support, and chain problems. It reads only what your server already offers publicly in the TLS handshake.

Related

• HTTP security headers, explained
• DNS records that affect your security