When you run a check, our server opens a real TLS connection to the host on port 443 — exactly like a browser does — and reads the certificate the server actually presents during the handshake. That's an important detail: we report what is really being served right now, not what a certificate authority issued or what your renewal automation believes it deployed.
Every X.509 certificate carries a validity window (notBefore and notAfter). Once the notAfter timestamp passes, every modern browser and HTTP client rejects the connection outright — there is no graceful degradation. Since public certificate lifetimes are now capped around 13 months and moving toward 90 days, renewals happen often, and every renewal is an opportunity for something to fail silently.
The thumbprint shown is a unique fingerprint of the certificate. It changes on every renewal, which makes it the definitive proof that a new certificate was actually deployed to the server — not just issued. If you renewed but the thumbprint didn't change, the old certificate is still being served.