The checklist for a healthy certificate installation
- Trusted chain: the status badge shows “Valid”, meaning the full chain to a public root was presented
- Correct names: your exact hostname appears in the SAN list (watch out for www vs. apex)
- Sane validity window: not expired, not “not yet valid” (a symptom of wrong server clocks during issuance)
- Expected issuer: the CA you actually ordered from — anything unexpected can indicate a proxy or a forgotten legacy certificate
After installing a new certificate
Always re-check from the outside after an installation or renewal. Web servers commonly keep serving the old certificate until a full reload, load balancers can hold their own copies per listener, and CDNs terminate TLS with a separate certificate entirely. If the checker still reports the old certificate, reload the service and check every entry point separately. If the connection fails outright, first confirm that port 443 is actually open.