One of the key reasons your website could go down as we have discussed earlier is a faulty SSL certificate. The SSL certificate could be expired. This is easy to tell and fix. But the more challenging issue is when there’s something wrong with the “chain” of your SSL certificate.
To understand SSL certificate chain, we have to briefly look at how SSL certificates work. SSL like many things such as government or money relies on trust. And we know that trust is hierarchical. At the top of this trust tree are root Certificate Authorities(CAs). They are mandated to issue out certificates to subsidiary smaller authorities called Intermediate CAs. These are the last mile that do the due diligence of verifying your identity before in-turn signing and issuing you with an SSL certificate. This whole chain of trust is called an SSL certificate chain.
The browsers sit between unsuspecting internet users and your website. They have a list of CAs that they know and trust. When a user visits your website via https scheme, the browser quickly checks and verifies your website’s SSL certificate chain. If The root and intermediary authorities are in browser’s database, the next thing is to check if the SSL certificate is expired. If it’s not, then your SSL certificate is legit. If one of the organizations in the SSL certificate chain is no longer trusted, the browser will show an error about your website.
So how do you check for your SSL certificate chain?
Using the browser
You can check for your SSL certificate chain using your browser. For my case, I used Google Chrome. With Chrome, click the padlock icon on the address bar, click certificate, a window will pop-up. Now chick n the details tab.
The details tab has the SSL certificate chain also known as the certificate hierarchy presented in a drop down sort of style as shown below;
When you click on each hierarchy tree, you will be presented with several details about that particular certificate such as the version, serial number, issuer, validity etc. You are interested in the Issuer which should tell you the certificate authority at that level.
Sitemonki SSL Checker
You can also use our newly developed SSL Chain certificate checker tool sitemonki.com/ssl-checker. This tool will show you if your SSL certificate is expired or not. For those that aren’t expired, you will see the full SSL chain certificate along with details such as common name, SANs, location of the issuer, validity period, signature among other details.
SSLShopper
You can also look at some online tools to view your SSL chain. My favorite is from sslshopper.com. You simply enter your domain name and it will automatically generate SSL cert chain for you. Check it out an example I have done for sitemonki.com. If something is broken within the chain, it’ll display it for you.
Honorary mentions include https://whatsmychaincert.com/, it’s pretty handy. It’ll simply just tell you if the ssl cert chain is correct or not.
Digicert SSL certificate checker
Digicert, one of the biggest SSL certificate vendors online has a helpful tool too you can check out.
SSL Labs
But if you are looking for some in-depth analysis of your SSL certificate chain, then Qualsy SSL Labs can give you more details and even give you an overall rating. I recommend this for website that require tight security. You must aim for the “A” rating. Checkout an example for sitemonki.com here.
Bonus mention is decoder.link by Name cheap. It’s actually a great app for checking and generating SSL certificates.
sslchecker.com is another honorary mention to the list.
So next time your website is having SSL certificate issues, remember you can quickly troubleshoot what’s wrong without being an expert in cryptography. Of course Site Monki has an SSL certificate checker too. More than simply checking, more importantly we notify you once we notice errors on the certificate such as one of authorities nolonger being trusted by the major browser or if it’s expired.
You can sign up today for free to get started.