# developer tools# website monitoring
How to Test TLS Configuration Before Renewing a Certificate
Certificate renewal is a good moment to audit your TLS configuration. Your certificate may be current but your server could be serving deprecated TLS 1.0, weak cipher suites, or missing security headers — issues that affect your SSL Labs grade, browser compatibility, and actual security posture.
Here's how to run a complete TLS configuration check before and after renewal.
Quick Checks with OpenSSL
openssl s_client is the go-to tool for TLS debugging. Everything below can be run from any machine with OpenSSL installed.
Check What the Server Currently Serves
# Full connection info — protocol, cipher, certificate chain
echo | openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null
# Certificate expiry dates
echo | openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null \
| openssl x509 -noout -dates
# Certificate subject and SANs
echo | openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null \
| openssl x509 -noout -subject -ext subjectAltName
Test Specific TLS Protocol Versions
# Test TLS 1.3 support (preferred)
openssl s_client -connect yourdomain.com:443 -tls1_3 2>&1 | grep "Protocol\|Cipher\|SSL"
# Test TLS 1.2 support (still acceptable)
openssl s_client -connect yourdomain.com:443 -tls1_2 2>&1 | grep "Protocol\|Cipher\|SSL"
# Confirm TLS 1.0 and 1.1 are DISABLED (should fail)
openssl s_client -connect yourdomain.com:443 -tls1 2>&1 | grep "alert\|SSL"
openssl s_client -connect yourdomain.com:443 -tls1_1 2>&1 | grep "alert\|SSL"
# Expected: "ssl handshake failure" or "alert handshake failure"
TLS 1.0 and 1.1 have been deprecated by the IETF (RFC 8996) and are disabled in all major browsers. If your server still accepts them, disable them.
Test Cipher Suite Strength
# See what cipher is being negotiated
echo | openssl s_client -connect yourdomain.com:443 2>/dev/null | grep "Cipher is"
# Test a specific cipher (check if weak ciphers are accepted)
openssl s_client -connect yourdomain.com:443 -cipher 'RC4-MD5' 2>&1 | grep "Cipher\|alert"
# Expected: handshake failure — weak cipher should be rejected
The Recommended TLS Configuration
For Nginx, a modern secure TLS configuration:
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers off;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
# HSTS (requires HTTPS for 2 years, includes subdomains)
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 8.8.8.8 valid=300s;
The Mozilla SSL Configuration Generator produces up-to-date recommended configurations for Nginx, Apache, HAProxy, and other servers — reference it when updating your configuration.
Check HSTS Header
curl -I https://yourdomain.com | grep -i strict-transport-security
# Expected:
# strict-transport-security: max-age=63072000; includeSubDomains; preload
If HSTS is missing, browsers won't enforce HTTPS for returning visitors. If max-age is low (some configs use max-age=0), HSTS is effectively disabled.
Check Certificate Chain Completeness
# Count certificates in the chain (should be 2 or 3)
echo | openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null \
| grep -c "^Certificate"
# Full chain verification
echo | openssl s_client -connect yourdomain.com:443 2>/dev/null | grep "Verify return"
# "Verify return code: 0 (ok)" = chain is complete and valid
A result of 1 certificate means intermediates are missing. See incomplete certificate chain fix for the resolution steps.
SSL Labs Automated Scan
For a comprehensive report without manual command-line work, SSL Labs' server test checks:
- Protocol support (TLS versions)
- Certificate chain completeness
- Cipher suite strength
- HSTS header
- OCSP stapling status
- Key exchange strength
- Overall grade (A+ to F)
Run this before and after renewal to confirm nothing regressed.
testssl.sh for Private/Internal Servers
For servers not accessible from the public internet, testssl.sh is an open-source command-line tool that runs the same checks locally:
# Install
git clone --depth 1 https://github.com/drwetter/testssl.sh.git
cd testssl.sh
# Run full scan
./testssl.sh yourdomain.com:443
# Or against an internal host
./testssl.sh 192.168.1.10:443
Pre-Renewal Checklist
Before renewing or replacing a certificate:
- Current certificate expiry date (
openssl x509 -noout -dates) - All SANs cover the domains you need (
openssl x509 -noout -ext subjectAltName) - Certificate chain is complete (verify return code 0)
- TLS 1.0 and 1.1 disabled
- Weak ciphers rejected
- HSTS header present with appropriate
max-age - OCSP stapling enabled (see OCSP stapling explained)
Continuous SSL Monitoring
Manual TLS checks are a point-in-time snapshot. Configuration drift, certificate renewals, and server changes can all affect your TLS posture after the fact.
Domain Monitor monitors your SSL certificates continuously — tracking expiry dates and certificate validity so issues surface before they become user-facing problems. Create a free account.
Also in This Series
More posts
Wildcard vs SAN vs Single-Domain SSL Certificates: Which Do You Need?
Wildcard, SAN (multi-domain), and single-domain SSL certificates cover different use cases. Here's a clear comparison to help you pick the right type — and avoid paying for coverage you don't need.
Read moreWhy DNS Works in One Location but Fails in Another
DNS resolves correctly from your office but fails for users in other countries or on different ISPs. Here's why geographic DNS inconsistency happens and how to diagnose which layer is causing it.
Read moreRegistrar Lock vs Transfer Lock: What's the Difference?
Registrar lock and transfer lock are often confused — and disabling the wrong one leaves your domain vulnerable. Here's a clear breakdown of what each does and when to use them.
Read moreSubscribe to our PRO plan.
Looking to monitor your website and domains? Join our platform and start today.