What the padlock icon actually means
When you see a padlock in the browser address bar, it means the connection between your browser and the server is encrypted using TLS (Transport Layer Security). This prevents eavesdropping — your ISP, router, or anyone on the same Wi-Fi network cannot read the traffic.
What it does not mean: that the site is legitimate, that the organization is who they say they are, or that you are on the right domain. A phishing site can have a perfectly valid SSL certificate — scammers get free certificates from Let's Encrypt just like legitimate sites do.
How to check an SSL certificate in the browser
- Click the padlock icon (or the "Not secure" warning) in the address bar
- Click "Connection is secure" or "Certificate is valid"
- Click "Certificate" or "More information"
- You will see the certificate details panel
In Chrome, click the padlock → "Connection is secure" → "Certificate is valid." In Firefox, click the padlock → "More information" → "View Certificate."
The fields that actually matter
Issued to (Subject): The domain name or organization the certificate was issued for. It must match the domain you are visiting exactly. Wildcards are allowed (*.example.com covers all subdomains).
Issued by (Issuer):The Certificate Authority (CA) that vouched for the certificate. Trusted CAs include DigiCert, Sectigo, Let's Encrypt, GlobalSign. If you see an unknown issuer or "Self-signed," the certificate has not been verified by any trusted authority.
Valid from / Valid to:The certificate's validity period. An expired certificate means the connection is still encrypted but the identity verification has lapsed. Most browsers block access to sites with expired certificates.
Certificate type:
- DV (Domain Validation): only verifies domain ownership — easiest to get, used by most sites including Let's Encrypt
- OV (Organization Validation): verifies the organization exists and owns the domain
- EV (Extended Validation): most thorough verification — organization identity manually checked by the CA. Was shown with a green address bar in older browsers.
Using an SSL checker tool
For a technical check without navigating browser menus, the free SSL checker tool shows the full certificate chain, expiry date, protocol version, cipher suite, and any warnings — useful for checking your own site or a site you are about to integrate with.
It shows:
- Certificate expiry date and days remaining
- Full certificate chain (root CA → intermediate → leaf)
- TLS protocol version (TLS 1.2 vs 1.3 — 1.3 is preferred)
- Whether the certificate covers www and non-www
- Subject Alternative Names (other domains covered)
Common SSL errors and what they mean
| Error | Cause | Risk |
|---|---|---|
| Certificate expired | Owner forgot to renew | Medium — encryption works but identity unverified |
| Name mismatch | Certificate is for a different domain | High — possible redirect to wrong server |
| Self-signed certificate | No CA verification | High on public sites, normal for internal tools |
| Untrusted issuer | CA not in browser trust store | High — avoid |
| Certificate revoked | CA invalidated the certificate | High — the domain's cert was compromised |
Setting a certificate expiry reminder
Let's Encrypt certificates expire every 90 days. Most hosting platforms auto-renew, but a misconfigured renewal job is a common source of outages. Set a calendar reminder 30 days before expiry and check the SSL checker regularly for your own domains.
Summary
- The padlock means encrypted — not trusted or legitimate
- Check: Issued to (matches domain?), Issued by (trusted CA?), Valid to (not expired?)
- DV certificates are fine for most sites — they prove domain ownership, not organization identity
- Use the free SSL checker to inspect any domain's full certificate chain