SSL/TLS Certificates Explained: How to Check and Read One

An SSL/TLS certificate is a signed digital file that proves a website is who it claims to be and lets your browser encrypt the connection to it. When you see the padlock in the address bar, a certificate is doing two jobs at once: it binds a domain name to a public key, and it carries a trusted certificate authority's signature vouching that the binding is genuine. The certificate format itself is defined by RFC 5280.

The "SSL" in the name is historical. The encryption is actually handled by TLS, the modern protocol that replaced SSL years ago, which we cover in SSL vs TLS. This guide explains what a certificate contains and how to inspect one; the linked splinters go deep on each task.

You can inspect any site's live certificate in seconds with our SSL checker, which reports validity, issuer, expiry, and protocol in one view.

What a certificate actually proves

A certificate answers two questions a browser needs to trust before sending data:

1. Identity. Is this really example.com, or an impostor? The certificate lists the domains it is valid for, and the browser checks the one in the address bar against that list.
2. Trust. Who says so? The certificate is signed by a certificate authority (CA). Browsers ship with a list of trusted root CAs, and the certificate must trace back to one of them through its certificate chain.

A certificate does not prove the site is safe or honest. It proves the connection is encrypted and the domain is the one named. A phishing site can hold a perfectly valid certificate.

The fields in a certificate

Field	What it means
Subject / Common Name	The primary domain the certificate is issued to
Subject Alternative Names (SAN)	All hostnames the certificate covers
Issuer	The certificate authority that signed it
Valid from / Valid to	The certificate's validity window
Serial number	Unique ID assigned by the CA
Signature algorithm	How the certificate is signed (for example SHA-256 with RSA)
Public key	The site's public key, used to set up encryption

The names a certificate covers live in the Subject Alternative Names field, which is why a single certificate can secure both example.com and www.example.com, or an entire subdomain space with a wildcard. We compare the options in wildcard vs SAN certificates.

Checking and reading a certificate

You do not need OpenSSL to audit a site. Our SSL checker pulls the live certificate and shows the issuer, the validity dates, the days remaining, and the negotiated protocol. For a step-by-step walkthrough including browser and command-line methods, see how to check a website's SSL certificate.

Two things trip people up most often:

• Expiration. Certificates are short-lived by design and must be renewed. A lapsed certificate breaks the site for every visitor. See SSL certificate expiration.
• Errors. Name mismatches, incomplete chains, untrusted issuers, and self-signed certificates all produce browser warnings. See common SSL errors and self-signed certificates.

How certificates relate to DNS

Certificates and DNS work together. A CAA record in your DNS controls which certificate authorities are even allowed to issue a certificate for your domain, which is a useful security layer that ties the two systems together.

Once you can read a certificate, HTTPS stops being a black box. You can tell who issued it, what it covers, when it expires, and whether a warning is a real problem or a misconfiguration. Run a check on any site with our SSL checker, or have an agent fetch it through the ssl_certificate tool in our MCP server.