← All Tools

SSL Certificate Checker

Inspect any domain's SSL/TLS certificate. Check validity, expiry, issuer, SANs, and cipher details.

Checking SSL certificate...

Validity

Status --

Not Before --

Not After --

Days Remaining --

Lifetime

Issuer

Common Name --

Organization --

Country --

Subject

Common Name --

Organization --

Country --

Connection

Protocol --

Cipher --

Key Exchange --

Serial Number --

Subject Alternative Names (SANs)

Understanding SSL/TLS Certificates

SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security) are cryptographic protocols that encrypt communication between a client (your browser) and a server. An SSL/TLS certificate is a digital document that binds a cryptographic key to an organization's identity, enabling secure HTTPS connections.

What This Tool Checks

When you enter a domain, the server-side checker connects to the target on port 443, performs a TLS handshake, and extracts the certificate details. This gives you the same information your browser sees when establishing a secure connection.

Validity Period

Certificates have a notBefore and notAfter date. Browsers reject expired certificates or those not yet valid. Most CAs now issue certificates with a maximum lifetime of 397 days (about 13 months).

Issuer

The Certificate Authority (CA) that signed the certificate. Trusted CAs include Let's Encrypt, DigiCert, Sectigo, and others. Your browser maintains a root store of trusted CAs.

Subject & SANs

The Subject Common Name (CN) identifies the primary domain. Subject Alternative Names (SANs) list all domains the certificate covers, including wildcards like *.example.com.

Cipher Suite

The negotiated cipher suite determines the encryption algorithm, key exchange method, and hash function. Modern connections should use TLS 1.2 or 1.3 with AES-GCM or ChaCha20-Poly1305.

Common Certificate Issues

Expired certificate -- The most common issue. Set up monitoring and auto-renewal (e.g., with certbot) to avoid downtime.
Domain mismatch -- The certificate's CN or SANs don't match the requested domain. Ensure all subdomains are covered.
Self-signed certificate -- Not signed by a trusted CA. Acceptable for development but not production.
Incomplete chain -- The server doesn't send intermediate certificates. Browsers may fail to verify the chain of trust.
Weak cipher suites -- Protocols like SSLv3 or TLS 1.0 and ciphers like RC4 or DES are considered insecure and should be disabled.

Best Practices

Use TLS 1.2 or TLS 1.3 exclusively. Disable TLS 1.0 and 1.1.
Enable HSTS (HTTP Strict Transport Security) to prevent protocol downgrade attacks.
Automate certificate renewal with tools like certbot or your cloud provider's certificate manager.
Monitor certificate expiry with alerts set at 30, 14, and 7 days before expiration.
Use OCSP stapling to improve TLS handshake performance and privacy.
Include all necessary domains and subdomains in SANs rather than relying on wildcard certificates alone.