Security
SSL Certificate Checker
The SSL Certificate Checker retrieves and analyzes the TLS/SSL certificate for any domain. It displays the certificate's validity period, issuer, subject, Subject Alternative Names (SANs), certificate chain, and signature algorithm. Use it to verify certificate installation, check expiry dates before they cause downtime, and inspect certificate details without needing OpenSSL on the command line.
What is an SSL/TLS certificate?
An SSL/TLS certificate is a digital document that binds a public key to the identity of a server (domain name, organization) and is signed by a trusted Certificate Authority (CA). When a browser connects to a website over HTTPS, the server presents its certificate and the browser verifies the CA signature and checks that the certificate's domain name matches the connected hostname. This establishes an encrypted and authenticated connection. Certificates have a validity period (typically 1 year for DV certificates) and must be renewed before they expire to avoid browser warnings. Let's Encrypt certificates are valid for 90 days and are designed for automated renewal via ACME.
How does the checker work?
The tool makes an HTTPS connection to the specified hostname on port 443 (or a custom port) using a server-side proxy that performs the TLS handshake and captures the certificate chain presented by the server. The certificate data (DER-encoded X.509) is parsed to extract fields including: Subject (CN, O, C), Issuer (CA name), Serial number, Validity dates (notBefore, notAfter), Subject Alternative Names (SANs), Key algorithm and size, Signature algorithm, Certificate chain depth, and OCSP/CRL revocation endpoints. The tool calculates days remaining until expiry and warns if the certificate expires within 30 days.
Typical Use Cases
- Verifying that an SSL certificate was installed correctly after deployment
- Monitoring certificate expiry dates to prevent unexpected HTTPS failures
- Checking that all required Subject Alternative Names (SANs) are present in a certificate
- Inspecting the certificate chain to diagnose missing intermediate certificates
Step-by-step Guide
- Step 1: Enter the domain name (e.g. example.com) in the input field.
- Step 2: Optionally specify a custom port (default is 443).
- Step 3: Click 'Check' and the tool retrieves and displays the full certificate details.
- Step 4: Review expiry date, issuer, SANs, and chain status in the results.
Example
Input
example.com
Output
Valid until: 2025-06-15 | Issuer: Let's Encrypt | SANs: example.com, www.example.com | Chain: OK
Tips & Notes
- Set up monitoring alerts when a certificate has fewer than 30 days remaining – automated renewal with Let's Encrypt/ACME should trigger well before that.
- Check that all variants of your domain (with and without www, subdomains) are listed in the Subject Alternative Names (SANs).
- A 'chain incomplete' warning means the server is not sending intermediate certificates; configure your web server to include the full chain.
Frequently Asked Questions
What is the difference between DV, OV, and EV certificates?
DV (Domain Validated) certificates verify only domain ownership and are issued automatically (e.g. Let's Encrypt). OV (Organization Validated) includes verified organization name. EV (Extended Validation) has the highest scrutiny, including legal entity verification. Browsers no longer show a green address bar for EV certs, reducing their visual distinction.
Why does the checker show a chain error?
A chain error means one or more intermediate certificates in the chain from the server cert to the root CA are missing or untrusted. The web server must be configured to send the full certificate chain (leaf + all intermediates) for browsers and tools to validate it.
Can I check certificates on non-standard ports?
Yes. Specify the hostname:port format (e.g. example.com:8443) to check certificates on ports other than the default 443.
SSL Certificate Checker
Analyze SSL/TLS certificates: validity period, issuer, encryption details, and more.
Open Tool