SSL Certificate Checker

Check the SSL/TLS certificate of any website instantly — expiry date, issuer, domain coverage and full trust status. Free, no sign-up needed.

Port
Port defaults to 443. Change for mail (465, 587) or custom HTTPS ports.
No data stored
Real-time check
No sign-up needed
Unlimited free checks
More Network Tools
WHOIS Lookup DNS Lookup HTTP Headers Port Checker What Is My IP Ping Test MAC Address Lookup Subnet Calculator Reverse DNS ASN Lookup
Understanding SSL Certificates

What an SSL certificate actually does for your site

An SSL/TLS certificate serves two distinct functions simultaneously. First, it enables the encrypted tunnel between a visitor's browser and your server using TLS, so passwords, payment data, and session tokens cannot be read in transit even on an untrusted network. Second, it authenticates your server — the browser verifies the certificate against a built-in list of trusted Certificate Authorities (CAs), confirming it is genuinely communicating with your server and not an impersonator performing a man-in-the-middle attack.

Both functions can fail independently. A certificate can be technically issued and working (encryption is active) yet still trigger browser security warnings if the CA is not trusted, the hostname is not in the Subject Alternative Name list, or the validity period has elapsed. This checker tests all four failure modes together. For a complete domain security picture, pair this tool with our HTTP Headers checker to confirm HSTS is active, and our DNS Lookup to verify the domain is resolving to the correct server IP.

Let's Encrypt versus paid SSL certificates: which should you use?

For the vast majority of websites, Let's Encrypt is the right choice. It is free, fully automated via ACME clients like Certbot or hosting panel integrations, trusted by every major browser and operating system, and issues certificates with a 90-day validity period that auto-renews. The short lifespan is intentional: it limits the exposure window if a private key is ever compromised without needing a manual revocation process.

Paid certificates from commercial CAs offer Organisation Validated (OV) and Extended Validation (EV) tiers, which include verified company identity in the certificate's subject field. While browsers removed the green padlock for EV certificates years ago, OV and EV remain relevant in regulated industries — finance, healthcare, and government — where compliance frameworks require verified organisational identity in the certificate. After installing any certificate, confirm it is serving correctly here, then verify DNS is pointing to the correct server with our DNS Lookup.

How to diagnose and fix the most common SSL errors

Certificate expired: Renew immediately. For Let's Encrypt, check why auto-renewal failed — the most common causes are a changed server IP (a firewall blocking port 80 for the ACME HTTP challenge), a missing CNAME, or a DNS change that broke domain validation. After renewing, verify the new certificate is live using this tool.

Domain mismatch: The hostname you are checking is not in the certificate's Subject Alternative Name list. Reissue the certificate including all hostnames pointing to your server. Before reissuing, use our DNS Lookup to retrieve every A and CNAME record so you do not miss any subdomains. Confirm the domain registration has not lapsed with our WHOIS Lookup.

Not trusted / untrusted CA: The certificate is self-signed or issued by a private CA not in browser trust stores. Replace it with a publicly-trusted CA certificate, or for internal-only services, deploy your root CA certificate to all client devices.

Connection refused: Port 443 may be closed on the server or firewall, or HTTPS may not be configured at all. Use our Port Checker to test whether port 443 is open, and our Ping Test to confirm basic host reachability before investigating further.

Subject Alternative Names (SANs) explained

Every modern SSL certificate uses the Subject Alternative Name extension to define which hostnames it covers. Browsers stopped honouring the Common Name field for domain matching years ago — SANs are authoritative. A single certificate can cover dozens of domains and subdomains simultaneously. Wildcard entries (e.g. *.example.com) cover all immediate subdomains but not deeper levels like api.v2.example.com. Multi-domain SAN certificates issued by commercial CAs can cover completely unrelated domains owned by different parties.

The SAN panel above highlights your queried hostname in green if it is explicitly covered, and in blue if it is covered by a wildcard. If your hostname does not appear in either colour, the certificate does not cover it — reissue or expand the certificate to include all required hostnames.

Frequently Asked Questions
Common questions about SSL/TLS certificates, expiry, trust and configuration.
What is the difference between SSL and TLS?

SSL (Secure Sockets Layer) was the original encryption protocol developed in the 1990s. TLS (Transport Layer Security) replaced it with a redesigned handshake and stronger cipher suites. Modern browsers enforce TLS 1.2 as the minimum; TLS 1.3 is now the standard for new connections. SSL 2.0 and 3.0 were deprecated and are blocked by all current browsers. The term "SSL certificate" has persisted in common usage despite the underlying protocol being TLS — the certificate format itself has not changed, only the handshake protocol.

How far in advance should I renew my certificate?

Renew at least 30 days before expiry — this checker flags certificates with 30 or fewer days remaining in orange. Let's Encrypt auto-renews at 60 days remaining to allow buffer for failed first attempts. For paid commercial certificates, start the renewal process 60–90 days out to allow time for domain validation, organisational verification (for OV/EV), certificate deployment and testing across all servers. After renewal, run this tool to confirm the new certificate is live, then verify HSTS is still active via our HTTP Headers tool.

Can I check SSL certificates on non-standard ports?

Yes — change the port number in the search bar above. Default is 443 (HTTPS). Common non-standard SSL ports include 465 (SMTPS), 587 (SMTP with STARTTLS upgrade), 993 (IMAPS), 636 (LDAPS), and 990 (FTPS). Before checking SSL on a custom port, confirm the port is actually open using our Port Checker — a closed port returns a connection failure rather than a certificate result, which can be confused with a missing certificate.

What is HSTS and how does it relate to my SSL certificate?

HTTP Strict Transport Security (HSTS) is a response header that instructs browsers to always connect to your site over HTTPS, even if the user types http:// or follows an unencrypted link. A valid SSL certificate is a prerequisite — HSTS is meaningless on an expired or untrusted certificate because browsers will not honour it. HSTS and SSL work as complementary layers: the certificate enables encryption and authentication; HSTS prevents browsers from ever downgrading to plain HTTP. After confirming your certificate is valid here, check your HSTS configuration using our HTTP Headers tool.

Is this SSL checker free and does it store query data?

Completely free, no account required, unlimited checks. Every result is fetched live from the target server at the moment you submit — no caching, no data retention, no query logging. For a complete domain health workflow, combine this with our DNS Lookup, WHOIS Lookup, HTTP Headers, and Port Checker — all free and real-time with no sign-up.