Inspecting SSL Certificates: What to Look For and Why

An SSL/TLS certificate is more than a padlock icon. It carries identity, trust chain, expiry, and cryptographic details that directly affect whether browsers, APIs, and crawlers treat your site as legitimate. Knowing how to read those details — and where to look — is a core skill for anyone running a production website.

This walkthrough covers the practical ways to inspect a certificate, what each field actually means, and the common red flags that should prompt action.

What "certificate details" actually means

When people say they want to check SSL certificate details, they usually mean one or more of these:

• Subject and SAN — which hostnames the certificate is valid for
• Issuer — the Certificate Authority (CA) that signed it
• Validity period — Not Before / Not After dates
• Chain of trust — intermediate and root certificates served
• Signature algorithm and key size — e.g. SHA-256 with RSA 2048 or ECDSA P-256
• Serial number and fingerprint — unique identifiers
• Negotiated protocols and ciphers — TLS 1.2, TLS 1.3, AEAD suites
• Revocation status — OCSP or CRL

Each of these can be checked in seconds, but the method depends on whether you want a quick visual sanity check or a deep cryptographic audit.

Method 1: Use your browser for a quick look

Every modern browser exposes certificate details through the padlock icon. This is the fastest way to verify a public-facing site.

Chrome and Edge

1. Visit the HTTPS URL you want to inspect
2. Click the padlock (or the tune icon in newer Chrome builds)
3. Select Connection is secure → Certificate is valid
4. Use the Details tab to view Subject, Issuer, Validity, SAN, and the full chain

Firefox

1. Click the padlock → Connection secure → More information
2. Click View Certificate — Firefox opens about:certificate with a clean, tabbed view of every cert in the chain

Browser views are excellent for confirming the obvious: is the hostname correct, who issued it, when does it expire, and is the chain complete from the browser's point of view?

Method 2: Inspect with OpenSSL from the command line

For server-side debugging, expired intermediates, or non-HTTP services (SMTP, IMAP, custom ports), OpenSSL is the tool of choice.

Pull the full certificate chain

openssl s_client -connect example.com:443 -servername example.com -showcerts

The -servername flag sends SNI, which is essential — most servers host many certificates behind one IP. Without it you may get the wrong one.

Decode a specific certificate

Save the PEM block to cert.pem and run:

openssl x509 -in cert.pem -noout -text

For just the fields you care about:

• openssl x509 -in cert.pem -noout -subject -issuer -dates
• openssl x509 -in cert.pem -noout -ext subjectAltName
• openssl x509 -in cert.pem -noout -fingerprint -sha256

Check expiry programmatically

echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -enddate

Pipe this into a cron job or monitoring script and you have free expiry alerting.

Method 3: Use an online SSL checker

Command-line tools are precise but slow when you need a holistic view: chain order, missing intermediates, weak ciphers, protocol support, and hostname mismatches all in one report. A hosted checker pulls everything in one request.

The AXOX Hub SSL Checker returns the full certificate chain, SAN list, issuer details, signature algorithm, validity window, and supported TLS versions for any public hostname. It's particularly useful for:

• Verifying a freshly issued certificate before flipping DNS
• Confirming a load balancer is serving the correct intermediate
• Comparing what staging vs production presents to clients
• Spot-checking third-party endpoints your app depends on

Red flags worth catching early

Missing intermediate certificates

A certificate can look valid in Chrome (which caches intermediates) but break in curl, Java clients, or older Android devices. Always confirm the server itself sends the full chain, not just the leaf.

Hostname / SAN mismatch

The Common Name field is effectively ignored by modern browsers. What matters is the Subject Alternative Name list. If your site is reachable on both example.com and www.example.com, both must appear in SAN.

Weak signature or key

SHA-1 signed certificates are rejected by all major browsers. RSA keys below 2048 bits are deprecated. If you see either, reissue immediately.

Soon-to-expire certs

Let's Encrypt certificates last 90 days; commercial ones typically 397 days maximum. Anything under 14 days remaining without automated renewal is an incident waiting to happen.

Wrong certificate served on SNI

Multi-tenant servers sometimes default to a fallback cert when SNI fails. Test with and without -servername to see what non-SNI clients receive.

Verifying revocation and transparency

Two checks often skipped in casual audits:

• OCSP stapling — confirm your server staples a fresh OCSP response with openssl s_client -status. Stapling avoids a client-side roundtrip to the CA and improves both performance and privacy.
• Certificate Transparency — every publicly trusted certificate is logged. Search crt.sh for your domain to spot certificates issued without your knowledge, which can indicate compromised DNS or a rogue CA.

A repeatable audit workflow

For any production HTTPS endpoint, run through this checklist:

1. Open the site in Chrome and Firefox — confirm no warnings
2. Run an online SSL checker to get the full chain and protocol matrix in one view
3. Use openssl s_client with SNI to confirm the server-side chain matches
4. Verify SAN covers every hostname you actually serve
5. Check Not After date and confirm renewal automation is in place
6. Confirm TLS 1.2 and TLS 1.3 are enabled; TLS 1.0/1.1 are disabled
7. Search crt.sh for unexpected issuances against your domain

Run it monthly, or wire the OpenSSL expiry check into your monitoring so renewals never surprise you.

If you want the entire chain, SAN list, expiry, and TLS protocol report in one click, point your hostname at the free SSL Checker on AXOX Hub and you'll have the full picture in seconds.