SecurityStatus
Sign In Scan Your Domain
How It WorksFeaturesKnowledge BaseComparePricing
Sign In Get Started
critical Encryption

SSL/TLS Certificate

Your SSL/TLS certificate is the foundation of trust between your website and every visitor. It encrypts data in transit and proves your site is legitimate. A misconfigured, expired, or weak certificate can expose user data and destroy trust instantly.

What SecurityStatus Checks

  • Certificate validity and expiry date (alerts when under 30 days remaining)
  • TLS protocol version — flags TLS 1.0 and 1.1 as insecure, requires TLS 1.2 minimum
  • Cipher suite strength — identifies weak ciphers like RC4, DES, and export-grade ciphers
  • Certificate chain completeness — checks for missing intermediate certificates
  • Subject Alternative Names (SANs) — verifies the cert covers your domain and www variant

Why This Matters

Browsers display scary red warnings on sites with certificate problems, driving away visitors instantly. Search engines penalise sites without valid HTTPS. Weak TLS versions and cipher suites allow attackers to intercept encrypted traffic through downgrade attacks.

How to Fix It

  1. 1

    Renew your certificate

    Log into your hosting control panel or certificate provider. Most providers offer auto-renewal — enable it. Let's Encrypt certificates are free and renew automatically every 90 days via Certbot or ACME clients.

  2. 2

    Disable TLS 1.0 and 1.1

    In your web server config, set the minimum protocol to TLS 1.2. For nginx: `ssl_protocols TLSv1.2 TLSv1.3;`. For Apache: `SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1`.

  3. 3

    Use strong cipher suites

    Configure modern cipher suites that support forward secrecy. Use Mozilla's SSL Configuration Generator at ssl-config.mozilla.org to generate an appropriate config for your server.

  4. 4

    Install the full certificate chain

    Your SSL certificate must include the full chain (leaf cert + intermediates). Most CAs provide a bundle file. For nginx, concatenate your cert and the CA bundle into a single file.

  5. 5

    Test your configuration

    Use SSL Labs (ssllabs.com/ssltest) to run a full analysis. Aim for an A or A+ rating. Fix any flagged issues before considering this resolved.

Frequently Asked Questions

How often do SSL certificates expire?
Standard certificates expire every 90 days (Let's Encrypt) or 1 year (commercial CAs). Browsers cap trust at 398 days. Always enable auto-renewal to avoid unexpected expiry.
What is the difference between TLS and SSL?
SSL is the old protocol — SSL 2.0 and 3.0 are both broken and deprecated. TLS is the modern replacement. TLS 1.2 and 1.3 are the only safe versions in use today. The term 'SSL certificate' is just a legacy name.
Does my site need HTTPS if I don't collect payments?
Yes. Chrome marks all HTTP sites as 'Not Secure'. HTTPS protects all data in transit, not just payment info. It also affects SEO rankings.
What is a wildcard certificate?
A wildcard cert covers your main domain and all first-level subdomains (*.yourdomain.com). Useful if you have many subdomains, but if one server is compromised the certificate exposure is wider.
My certificate is valid but the check still fails — why?
Common causes: missing intermediate cert in the chain, the cert doesn't cover the exact domain name being checked, or a mixed-content issue (HTTP resources loaded on an HTTPS page).

Related Guides

high HTTPS Redirect Read Guide high Certificate Transparency Read Guide high Subdomain SSL Coverage Read Guide

Check Your Domain Now

Run all 38 security checks including SSL/TLS Certificate and get your domain's security grade in under 2 minutes.

Scan Your Domain Free