Understanding your SSL results
SSL Checker connects to your domain on port 443, completes a real TLS handshake, and reports back exactly what a browser sees: who the certificate was issued to, who issued it, when it expires, the full certificate chain, the Subject Alternative Names it covers, and which TLS protocol versions your server still accepts. Everything below explains how to read those results and what to do with them. For the deeper background, our guide to how SSL certificates work and the SSL glossary cover the terminology in full, and the how it works page explains the checks step by step.
What the security grade means
Every check ends with a single letter grade so you can tell at a glance whether anything needs attention:
- A+ — the certificate is valid for more than 30 days, the server supports TLS 1.3, and there are no outstanding issues. This is the best result, and the only grade awarded for a genuinely modern configuration.
- A — the certificate is valid and secure, but the server isn't yet offering TLS 1.3.
- B — minor issues: the certificate expires within 30 days, or the server still accepts a deprecated protocol such as TLS 1.0 or 1.1.
- C — the certificate expires in less than 7 days. Renew now.
- F — the certificate has expired, or the server supports neither TLS 1.2 nor TLS 1.3. Visitors are already seeing security warnings.
If a deprecated protocol drops you to a B, TLS 1.2 vs 1.3 explains how to disable the old versions on your server.
Reading the certificate details
Issued to is the common name on the certificate — it should match the domain you checked, or be covered by one of the SANs below. Issuer is the certificate authority that signed it, such as Let's Encrypt, DigiCert, or Google Trust Services. Valid from and Expires bound the period the certificate is trusted, and the days-remaining figure is the one to watch. If the issued-to name doesn't match the hostname, browsers throw a name-mismatch error even when the certificate itself is perfectly valid.
Why the certificate chain matters
Browsers don't trust your certificate directly — they trust it because it's signed by an intermediate certificate, which is in turn signed by a root certificate already in the browser's trust store. If your server is missing intermediate certificates, some clients fail validation even though the certificate itself is fine. A missing intermediate is one of the most confusing misconfigurations because it often works in one browser and fails in another. SSL Checker shows the full chain so you can spot a broken link immediately, and our SSL error reference and guide to fixing common SSL errors walk through the most frequent ones.
DV, OV, and EV certificates
Domain Validated (DV) certificates only confirm that you control the domain — they're free via Let's Encrypt and used by the vast majority of sites. Organisation Validated (OV) certificates additionally verify that your organisation exists. Extended Validation (EV) certificates add a full legal-entity check. For most websites DV is perfectly sufficient; OV and EV mainly matter for banks, large ecommerce, and specific compliance requirements. If you're weighing the options, Let's Encrypt vs paid SSL compares them in detail.
Subject Alternative Names and wildcards
A single certificate can secure multiple hostnames through its Subject Alternative Names (SANs). A wildcard entry like *.example.com covers every subdomain at one level. SSL Checker lists every SAN on the certificate so you can confirm the hostnames you care about are actually covered — a common gotcha is a certificate that secures example.com but not www.example.com. To choose the right type, see wildcard vs SAN vs single-domain certificates.
What happens when a certificate expires
Modern browsers block expired-certificate pages with a full-screen "Your connection is not private" warning that most visitors won't click past. Search engines drop the affected pages quickly, and any integrations that make HTTPS requests to your server start failing. The fix is never to get there: check at least 30 days out and automate renewal. Let's Encrypt certificates last 90 days specifically to encourage automation, and our guide to renewing SSL without downtime covers doing it safely. It's also worth enabling HSTS once HTTPS is solid.
Checking certificates on non-standard ports
Plenty of services run TLS somewhere other than port 443 — 465 for SMTPS, 993 for IMAPS, and so on. If the service you're testing listens elsewhere, include the port in the domain (for example mail.example.com:993) and SSL Checker will connect to the right place.
How often should you check, and is it free?
At a minimum, check 30 days before expiry so you have time to renew. If you manage several domains or the certificate is business-critical, monitor continuously rather than relying on a manual check — an expired certificate effectively takes your site offline. SSL Checker is completely free with no signup and no rate limits, so check as often as you need. The connection only reads your certificate during the handshake; it never intercepts your real users' traffic and never stores results, as our privacy policy explains.