I spend more time with TLS certficates than I'd like, and thought I'd profile a few resources I've found helpful.
For the lightest touch, to check how your SSL/TLS client handles certificates, go to howsmyssl.com
For the deep-dive, I recommend anything by Ivan Ristić of Qualys. You may well know the excellent SSL Labs but perhaps you're not familiar with Feisty Duck, which is where I learned of the book "Bulletproof TLS and PKI". Certainly the book in softback form is in itself a defence against a number of physical attacks, and has more detail than I've ever needed when I've dipped into it.
If you find yourself needing an offline equivalent of SSL Labs that you could run against internal resources, I'd recommend testssl.sh, which I rediscovered today, having seen a former colleague use a couple of years ago. Yesterday I wrote about bash scripting - testssl.sh has 23,000+ lines of shell script magic. Today it helped me identify a certificate chain ordering issue faster than I'd have identified without it.
Finally, Mozilla's SSL Configuration Generator is so so helpful, particularly when working across multiple web server types, needing different combinations of ciphers and protocols.
I'd also like to profile Nartac Software's IIS Crypto tool which allows you to quickly see which ciphers, hashes, and protocols (both client and server) are enabled on your (Windows) IIS instance.