SSL Certificate Checker

Inspect the SSL/TLS certificate for any domain — validity, expiry, issuer, Subject Alternative Names, and protocol details.

What Does This Tool Check?

This tool connects to the target domain over HTTPS and retrieves the full SSL/TLS certificate details. It shows you who issued the certificate, when it expires, what domains it covers, and whether the TLS configuration is using modern protocols.

Certificate Validity

An SSL certificate is "valid" when it is signed by a trusted Certificate Authority (CA), the current date falls within the certificate's validity window (validFrom to validTo), and the domain name matches the certificate's Common Name (CN) or one of its Subject Alternative Names (SANs).

Subject Alternative Names (SANs)

Modern certificates use SANs to list every domain or subdomain the certificate covers. A wildcard SAN like *.example.com covers all direct subdomains. The legacy CN field is now largely superseded by SANs, and browsers may reject certificates that only use CN without SANs.

TLS Protocol Versions

  • TLS 1.3 — Current best practice. Faster handshakes, stronger security, and no vulnerable cipher options.
  • TLS 1.2 — Still widely used and considered secure when configured with strong cipher suites.
  • TLS 1.1 / 1.0 — Deprecated. Browsers no longer support these and they should be disabled on servers.
  • SSLv3 / SSLv2 — Obsolete and critically vulnerable. No modern server should be running these.

Certificate Expiry

Certificates typically have a 90-day validity period (especially from free CAs like Let's Encrypt) or up to 398 days for paid certificates. Expired certificates cause browser warnings and break HTTPS for visitors. Most monitoring systems alert when fewer than 30 days remain — this tool highlights that threshold with an orange warning.

Common Issues Found

  • Expired certificate — The validTo date has passed. Visitors will see a browser security warning.
  • Domain mismatch — The certificate CN/SANs don't match the requested domain.
  • Self-signed certificate — Not issued by a trusted CA; browsers will warn users.
  • Weak key size — RSA keys below 2048 bits are considered insecure.
  • Outdated protocol — Using TLS 1.0/1.1 exposes users to known attacks like BEAST and POODLE.