SSL Test Tools: How to Check Your Certificate and Server Configuration

After installing an SSL certificate, you need to verify it’s working correctly — right certificate, complete chain, modern TLS, no errors. Here are the best tools for each check.

Online tools

SSL Labs Server Test (most comprehensive)

URL: ssllabs.com/ssltest

The industry standard for SSL testing. Enter your domain and get a detailed report graded A+ to F.

What it checks:

• Certificate validity and chain completeness
• Protocol support (TLS 1.0/1.1/1.2/1.3)
• Cipher suite strength and order
• Known vulnerabilities (POODLE, Heartbleed, DROWN, ROBOT)
• HSTS configuration
• OCSP stapling
• DNS CAA records
• Certificate Transparency

Target: Grade A+ (requires TLS 1.2+, AEAD ciphers, HSTS with long max-age)

When to use: After initial setup, after config changes, and periodically (monthly).

SSL Shopper SSL Checker

URL: sslshopper.com/ssl-checker

Quick check focused on certificate validity and chain.

What it checks:

• Certificate installed correctly
• Chain is complete (intermediate present)
• Certificate matches the domain
• Expiry date

When to use: Quick “is it working?” check — faster than SSL Labs.

crt.sh (Certificate Transparency search)

URL: crt.sh

Searches Certificate Transparency logs for all certificates ever issued for a domain.

When to use: Monitor for unauthorized certificates, verify your certificate was logged, check issuance history.

Why No Padlock

URL: whynopadlock.com

Scans a specific page for mixed content — HTTP resources on an HTTPS page.

When to use: When the padlock shows a warning or is missing despite having a valid certificate.

Command-line tools

Quick checks with OpenSSL

# Check if HTTPS works at all
echo | openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | grep "Verify return code"
# 0 (ok) = good

# Show certificate expiry
echo | openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -enddate

# Show full certificate details
echo | openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -text

# Check TLS version negotiated
echo | openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | grep "Protocol"

# Test specific TLS version
echo | openssl s_client -connect yourdomain.com:443 -tls1_3 2>/dev/null | grep "Protocol"

Full OpenSSL cheat sheet →

curl for quick HTTPS test

# Basic HTTPS check
curl -I https://yourdomain.com

# Show certificate info
curl -vI https://yourdomain.com 2>&1 | grep -E 'subject:|issuer:|expire'

# Check redirect from HTTP
curl -ILs http://yourdomain.com | grep -E '^HTTP|^Location'

nmap for cipher enumeration

nmap --script ssl-enum-ciphers -p 443 yourdomain.com

Shows all cipher suites the server supports, grouped by TLS version.

What to check and when

Interpreting SSL Labs grades

SSL best practices to reach A+ →

Frequently asked questions

How often should I test?

After any SSL-related change, and at least monthly as part of monitoring. SSL Labs results are cached for a few hours — add &clearCache=on to force a fresh scan.

Is SSL Labs safe to use? Does it expose my site?

Yes, it’s safe. SSL Labs connects to your server the same way any browser would. It doesn’t modify anything or expose vulnerabilities. The results are public by default — check “Do not show the results on the boards” if you prefer privacy.

My site gets A on SSL Labs but still shows “Not Secure”

The SSL Labs grade covers the server’s TLS configuration. “Not Secure” in the browser can also come from: mixed content (check with Why No Padlock), missing redirect from HTTP, or accessing via HTTP directly. These are page-level issues, not server-level.

Can I automate SSL testing?

SSL Labs has a free API: api.ssllabs.com/api/v3/analyze?host=yourdomain.com. You can integrate it into CI/CD or monitoring pipelines. For simpler checks, use the OpenSSL commands in a cron script.