SSL Certificate Checker

Check a domain's SSL certificate expiry, issuer, chain and TLS version live.

SSL Certificate Checker reads the live TLS/SSL certificate served by a domain and shows its expiry date, issuer, subject (CN), alternative names (SAN), TLS protocol and key sizeat a glance. Because it inspects the certificate the server actually presents, you see exactly what sits behind the browser's padlock.

The most important signals are the days remaining until expiry (D-day) and whether the chain is trusted. A near expiry means it is time to renew; a trust failure (authorized=false) points to a missing intermediate certificate or a hostname mismatch. Just enter a domain — no protocol or path needed.

Domaine.g. example.com (domain only, no protocol or path, port 443)

Expiry and renewal cycles

Publicly trusted certificates typically last from 90 days (Let's Encrypt) to a year. An expired certificate triggers a hard red browser warning that blocks visitors, so watch the renewal state from about 30 days out. This tool shows the days remaining as a large D-day, flagging 30 days or fewer as a warning and an expired certificate as danger.

Chain trust and hostnames

A certificate is never trusted on its own; the one the server sends is verified through a chain that leads up to a trusted root. Common failures include:

The server does not bundle the intermediate certificate, leaving the chain incomplete
The requested domain is not listed in the certificate's CN/SAN, causing a name mismatch
The certificate has expired or is not yet valid

When trust fails, the authorizationError code (for example expired, self-signed, or name mismatch) helps you narrow down the cause.

The role of SAN (alternative names)

Modern browsers only use the certificate's SAN (Subject Alternative Name) list for hostname validation. Even if a domain appears in the CN, it will not be trusted unless it is in the SAN. Wildcards (*.example.com) and multi-domain certificates are common, so confirm that the domain you are checking is actually present in the SAN list. To read the SAN from a certificate file you already have, paste it into the SSL Certificate Decoder, and to confirm which protocols the same host accepts use the TLS Version Check.

Frequently asked questions

Can I check a different port?

This tool connects on the standard HTTPS port 443 to read the certificate. Checking certificates on mail or other service ports will be offered as a separate tool.

authorized is false but it opens fine in my browser.

Browsers can fill in a missing intermediate certificate from cache or via AIA fetching. This tool only validates the chain the server actually sends, so a false value can mean the chain is incomplete. We recommend installing the intermediate certificate on the server.

Can it check internal (intranet) server certificates?

No. Only domains reachable on the public internet are checked. Private IPs and internal-only hosts are blocked for security.

Is the domain I enter stored anywhere?

The check is performed by the server opening a direct TLS connection to the domain, and the result is cached temporarily for just 60 seconds to reduce load. We do not keep separate logs or send data to third parties.

Related tools

SSL Error Message Decoder

Explain browser SSL errors like ERR_CERT_COMMON_NAME_INVALID.

CAA Record Check

Check which CAs are allowed to issue certificates via CAA records.

TLS Version Check

Check which TLS versions (1.0–1.3) a server supports and grade safety.

SSL Certificate Decoder

Paste a PEM certificate to decode subject, issuer, validity and SANs.

CSR Decoder

Paste a CSR to decode its subject and key information.

CIDR Calculator

Calculate IP range, subnet mask and host count from CIDR notation.