HomeToolsNetwork & DNS › SSL Certificate Checker

SSL Certificate Checker — Check SSL Validity & Expiry Free

Security

Enter a domain name and instantly check its SSL certificate: validity status, expiry date, issuer, key algorithm, Subject Alternative Names, and chain completeness. Live TLS check from our server — no browser plugins or CLI needed.

Enter a domain to check its SSL certificate.

More network tools: DNS Lookup WHOIS Lookup Port Checker

About SSL Certificate Checker

SSL Certificate Checker is a free browser-based tool that performs a live TLS handshake from our server to port 443 of your domain and extracts the certificate details. Enter any domain name (e.g. example.com) or paste a full URL — the tool strips the protocol and path automatically — and in seconds you see the certificate status, exact expiry date and countdown, issuer organisation, key algorithm and bit-size, serial number, all Subject Alternative Names, and whether the certificate chain is complete.

Webmasters, DevOps engineers, and SEOs use SSL checkers to verify that certificates are installed correctly, that auto-renewal is actually running (especially for Let's Encrypt Certbot setups), and that the certificate chain includes all required intermediate CA certificates. A missing intermediate causes browsers to show "NET::ERR_CERT_AUTHORITY_INVALID" even when the leaf certificate is technically valid.

How SSL certificates work

An SSL/TLS certificate is a digitally signed document that proves a server's identity and enables an encrypted connection. It contains the domain name(s) it covers (Common Name + SANs), the issuing Certificate Authority (CA), validity dates, the server's public key and algorithm, and a digital signature from the CA. When a browser connects to an HTTPS site, it verifies the certificate signature against a built-in list of trusted root CAs. If any link in the chain — leaf certificate, intermediate CAs, or root CA — is missing or untrustworthy, the browser rejects the connection.

Certificate chain completeness

Most CAs issue leaf certificates signed by intermediate certificates (not directly by the root CA). Your web server must serve both the leaf certificate and the intermediate(s) together, forming the "chain." If the server only sends the leaf certificate, browsers that haven't cached the intermediate will reject the connection. This is a common deployment mistake that the "Certificate chain: Complete / Incomplete" field in this tool catches immediately.

Common use cases

  • Verifying SSL after a certificate renewal — A sysadmin just renewed a commercial SSL certificate and installed it on the web server. They use the SSL Checker to confirm the new certificate is served on port 443, that the expiry date matches what the CA issued, and that the chain is complete — all before the old certificate expires.
  • Monitoring a Let's Encrypt auto-renewal — A developer relies on Certbot to auto-renew Let's Encrypt certificates. They check the domain periodically with the SSL Checker to confirm auto-renewal is running: if the certificate still shows 85+ days remaining after the expected renewal date, the cron job likely failed and the certificate will expire in under 90 days.
  • Diagnosing a browser SSL warning after deployment — After deploying a new certificate bundle, users report "Your connection is not private" warnings in Chrome. The SSL Checker's "Certificate chain: Incomplete ⚠" result immediately reveals that the server is sending only the leaf certificate without the intermediate CA — the fix is to reinstall the full bundle (leaf + intermediates) provided by the CA.
  • Pre-launch HTTPS verification for a new domain — A web agency is launching a client's site and wants to verify HTTPS is fully configured before go-live. They check the domain in the SSL Checker to confirm the certificate is valid, covers the correct domains in the SANs list, and that the chain is complete — a quick pre-launch gate alongside DNS propagation checks.

How to use this tool

  1. Type your domain into the field (e.g., example.com). You can paste a full URL — the tool strips the protocol and path automatically.
  2. Click "Check SSL" to run the certificate check from our server against port 443 of your domain.
  3. Review the status badge: "Valid ✓" means your certificate is active; "Expired ✗" means it has lapsed and visitors will see browser warnings; "Not Found ✗" means no certificate was found on port 443.
  4. For valid certificates: check the expiry countdown and schedule renewal before the 30-day warning threshold. Check "Certificate chain" — "Complete ✓" means all intermediate CAs are correctly served; "Incomplete ⚠" requires installing the full certificate bundle from your CA.

Frequently asked questions

How do I check if my SSL certificate is valid?

Enter your domain name (e.g., example.com) in the field above and click "Check SSL." The tool performs a live TLS handshake from our server to port 443, fetches the certificate, and reports validity status, expiry date, issuer, and key details instantly. No browser plugins or command-line tools needed.

How long before my SSL certificate expires should I renew it?

Most CAs recommend renewing at least 30 days before expiry. Let's Encrypt certificates (90-day validity) auto-renew via Certbot — use this tool to verify auto-renewal is actually running. For commercial certificates (1–2 year validity), set a calendar reminder 60 days before the expiry date shown above.

What does "Not Found" mean in the SSL result?

"Not Found" means our server could not complete a TLS handshake with port 443 on your domain. Common causes: the domain doesn't exist, port 443 is blocked by a firewall, HTTPS is not configured, or the server returned a fatal certificate error. Verify you typed the bare domain correctly (e.g., example.com, not https://example.com) and that your server is actively serving HTTPS.

What are Subject Alternative Names (SANs)?

SANs are additional domain names secured by the same SSL certificate. A single cert can cover example.com, www.example.com, api.example.com, and even different domains (multi-domain/UCC cert). Wildcard SANs like *.example.com cover all direct subdomains. The SANs section in this tool shows up to 5 names with a count of any additional ones.

What does "Certificate chain incomplete" mean?

An SSL chain consists of your server's certificate, intermediate CA certificates, and the root CA. If the server omits the intermediate certificates, browsers show a warning even if your certificate itself is valid. "Incomplete" in our result means the returned chain is missing intermediates. Fix: install the full bundle (server cert + intermediates) provided by your CA, not just the leaf certificate.

Related Network Tools

Open another DNS or network check in one click.

Live

OG Tag Previewer

Enter any URL to see how it will appear as a social share preview on Facebook, LinkedIn, and Twitter/X. Checks og:title, og:description, og:image, and all Open Graph meta tags.

Open tool
Live

DNS Lookup

Check DNS records for a domain using a live resolver in your browser.

Open tool
Live

MX Lookup

Find the mail servers configured for a domain.

Open tool
Live

NS Lookup

View authoritative nameservers for a domain.

Open tool
Live

TXT Lookup

Inspect TXT records such as SPF and domain verification values.

Open tool
Live

CNAME Lookup

Resolve canonical hostname aliases for a domain or subdomain.

Open tool
Live

SOA Lookup

Inspect SOA parameters such as serial, refresh and retry.

Open tool
Live

CAA Lookup

Verify which certificate authorities can issue certificates for a domain.

Open tool