ToolActToolAct

SSL Certificate Checker

Check SSL/TLS certificate validity, expiration date, and certificate chain details online

Enter a domain name and click "Check" to view SSL certificate info

What is SSL Certificate Checker?

The SSL Certificate Checker inspects whether a website’s TLS certificate is valid, matched to the requested domain, properly chained, and not close to expiration. This matters because HTTPS is more than a browser lock icon: it affects encrypted transport, server identity, user trust, search visibility, payment flows, API integrations, and automated clients. Operations, deployment, security-review, and incident-triage work benefit from the dates, issuer information, subject names, certificate chain details, and protocol signals it exposes. Common findings include forgotten renewals, missing intermediate certificates, uncovered subdomains, certificates installed on the wrong environment, and domains that redirect to a host with different coverage.

How to Use

How to use

  1. Enter the domain name you want to check (e.g. google.com)
  2. The default port is 443. Change it if needed for special configurations
  3. Click the "Check" button or press Enter to start the check
  4. View certificate validity, expiration date, TLS protocol version, and more
  5. Expand the certificate chain to see detailed info for each certificate including issuer, signature algorithm, SANs, etc.

Certificate Tips

  • Check the exact hostname users visit, including subdomains, because a certificate can be valid for one name and mismatched for another.
  • Run checks after DNS, CDN, load balancer, or renewal changes; certificate chains can differ between environments even when the domain is the same.

Use Cases

Checking HTTPS certificate health from the backendEnter a domain and port to run a signed SSL certificate check through the network API. Only the host:port you entered is contacted, and no other endpoints or unrelated hosts are reached during the probe. The result reports handshake success, protocol, cipher suite, overall validity, expiry state, days until expiry, and domain match.
Inspecting the certificate chainWhen the handshake succeeds, expand each certificate to view subject, issuer, serial number, signature algorithm, validity dates, SAN entries, and self-signed or expired badges. This is useful for diagnosing broken intermediate chains, identifying which CA actually issued the leaf, and spotting a wrong certificate deployed by mistake.
Spotting renewal and hostname problems earlyThe status banner highlights invalid certificates, expired certificates, expiring-soon states, and domain mismatches. It is useful before DNS cutovers, CDN migrations, load balancer changes, and routine certificate renewal checks. Compare the expiry countdown against your renewal automation window (Let's Encrypt 90-day, commercial 1-3 year) before the browser warning kicks in.
Cross-checking SAN coverage during subdomain migrationsAfter the handshake, the SAN list shows every hostname the certificate is valid for. Compare it against your subdomain inventory before cutting DNS over to a new host, since a wildcard cert may not cover internal staging hosts or regional subdomains, and a multi-domain SAN may have dropped an entry during reissue. Modern browsers ignore the legacy Subject CN field for hostname matching and rely only on the SAN extension, so a certificate with a correct CN but a missing SAN will still trigger a domain-mismatch error in Chrome, Firefox, and Safari even though older checkers may report it as valid.
Validating intermediate chain after a CA migrationWhen you switch Certificate Authorities or move to a new origin, expand each certificate in the chain to inspect issuer, signature algorithm (e.g., SHA-1 vs SHA-256), and validity dates. An incomplete intermediate bundle is a common cause of handshake failures on Linux but not on macOS, so verify the bundle from the same class of client your users will run. The chain must be ordered leaf -> intermediate(s) -> root, and roots do not need to be sent on the wire because they are bundled in the client trust store; OCSP stapling, when enabled, attaches a fresh revocation status object to the TLS handshake so the client does not need to call the CA's OCSP responder on its own.

Technical Principle

SSL/TLS certificates follow the X.509 standard. Each certificate contains these key fields: Subject (the holder's domain or organization), Issuer (the issuing CA), Validity (Not Before / Not After dates), Subject Public Key Info (public key and algorithm), Signature Algorithm (such as SHA256-RSA or ECDSA-SHA256), and X509v3 extensions (of which the most important is the Subject Alternative Name extension). During the TLS handshake, the server sends its chain in order: leaf certificate -> intermediate certificate(s) -> root certificate (which is built into the browser and does not need to be sent). The client starts at the leaf, verifies at each level that the Issuer matches the parent's Subject, uses the parent's public key to verify the child's signature, checks the validity window, and ultimately traces back to a trusted root. Let's Encrypt issues certificates that are valid for only 90 days, designed to be used with automation such as certbot; commercial certificates usually last 1 to 3 years. SNI (Server Name Indication) allows a single IP to host multiple HTTPS sites: the client first sends the SNI extension during the handshake to tell the server the target hostname, and the server returns the matching certificate. OCSP (Online Certificate Status Protocol) allows real-time queries on whether a certificate has been revoked, avoiding the need to download bulky CRL lists.

  • X.509 certificate fields: Subject (holder), Issuer, Validity, Public Key, Signature Algorithm, and the SAN extension
  • Certificate chain validation: starts at the leaf, checks Issuer -> Subject match level by level, verifies the child's signature with the parent's public key, and ultimately traces back to a trusted root
  • Let's Encrypt certificates default to a 90-day validity, paired with certbot and similar tools for automatic renewal; commercial certificates typically last 1 to 3 years
  • SNI (Server Name Indication) lets a single IP host multiple HTTPS sites; the client declares the target hostname during the handshake and receives the matching certificate
  • OCSP is used for real-time revocation checks, avoiding the download of bulky CRLs; major CAs also deploy OCSP Stapling
  • Expired certificates, weak signature algorithms (SHA-1), and insufficient key length (RSA under 2048 bits) all trigger modern browser security warnings

Examples

Check GitHub's Certificate

github.com — issuer DigiCert TLS Hybrid ECC SHA384, 67 days remaining, protocol TLS 1.3, SAN includes github.com and *.github.com

Check Google's Certificate

google.com — issuer WR2 (Google Trust Services), 84 days remaining, SAN includes *.google.com and google.com

Check Your Own Certificate

blog.example.com — issuer Let's Encrypt R10, 23 days remaining (renew soon), signature algorithm ECDSA-SHA256

FAQ

What does the certificate check show?

The full certificate chain (leaf, intermediates, root), validity dates, the issuing CA, the subject Common Name and Subject Alternative Names, signature algorithm, public key type/size, certificate serial, and whether the chain matches a trusted root. Our backend connects to the host on port 443 and reports the chain it sees.

Can I check certificates on non-443 ports?

Yes - specify host:port (e.g. example.com:8443). Some builds also check IMAP (993), SMTP (465/587), POP3 (995), and other TLS ports. The protocol must use plain TLS or STARTTLS that the page supports.

What does 'expires in N days' mean?

The notAfter date in the certificate. After that date, modern browsers refuse to load the site. Set up auto-renewal at least 30 days before expiry. Let's Encrypt certificates are 90 days - most operators auto-renew at 60 days.

Why does my certificate look valid here but fail in browsers?

Common causes: chain order is wrong (server sends intermediates in wrong order); intermediate is missing (server only sends the leaf); root is not in the browser's trust store (private CA, government CA not bundled); SNI mismatch (server returns the wrong cert for your hostname). The page typically flags each of these.

What's the difference between DV, OV, and EV certificates?

Domain Validation (DV): only the domain control is verified. Organization Validation (OV): the company's existence is verified. Extended Validation (EV): a more thorough business check. Modern browsers show all three the same way (just a padlock); EV no longer triggers a green address bar in most browsers since 2019.

Can I check a self-signed or private-CA certificate?

Yes. The page shows the certificate but flags it as 'untrusted' because the CA isn't in the public root store. Useful for inspecting your own corporate or test certificates.

Is the host's data exposed?

The check connects from our backend to the host on port 443, just like any TLS client. The host logs that connection. Don't run this against hosts that prohibit external scanning.