NetCheck Tools

SSL Certificate Checker

Verify a certificate installation end to end: trust chain, covered hostnames, issuer and validity — exactly as an external client sees it.

The checklist for a healthy certificate installation

  1. Trusted chain: the status badge shows “Valid”, meaning the full chain to a public root was presented
  2. Correct names: your exact hostname appears in the SAN list (watch out for www vs. apex)
  3. Sane validity window: not expired, not “not yet valid” (a symptom of wrong server clocks during issuance)
  4. Expected issuer: the CA you actually ordered from — anything unexpected can indicate a proxy or a forgotten legacy certificate

After installing a new certificate

Always re-check from the outside after an installation or renewal. Web servers commonly keep serving the old certificate until a full reload, load balancers can hold their own copies per listener, and CDNs terminate TLS with a separate certificate entirely. If the checker still reports the old certificate, reload the service and check every entry point separately. If the connection fails outright, first confirm that port 443 is actually open.

Frequently asked questions

How do I verify my SSL certificate is installed correctly?

Enter your domain above. A correct installation shows status “Valid”, your hostname in the SAN list, a known certificate authority as issuer and a future expiration date. Any other status comes with the specific problem detected during the handshake.

What is an incomplete certificate chain?

Servers must send their own certificate plus the intermediate certificates linking it to a trusted root. If intermediates are missing, some browsers may still connect (they cache intermediates) while API clients, older devices and this checker will flag the chain as untrusted — a very common misconfiguration.

My certificate is valid but browsers still warn. Why?

Typical causes: the page loads mixed content (HTTP resources on an HTTPS page), a redirect lands on a hostname the certificate does not cover, or an old certificate is served on a different IP/port. Test the exact hostname your users visit, including the www variant.

Do wildcard certificates cover every subdomain?

A wildcard like *.example.com covers one level only: shop.example.com yes, but not example.com itself (unless listed separately in the SAN) and not a.b.example.com.

Related tools