SSL Certificate Checker
Inspect a domain's SSL/TLS certificate: issuer, expiry, SAN list and chain.
About this tool
This tool opens a TLS connection to your server on port 443 and inspects the certificate it presents: the issuer, validity window, days until expiry, the Subject Alternative Names (SAN) the certificate covers, the negotiated TLS protocol version, and the full certificate chain back to the root.
Run it after installing or renewing a certificate to confirm the right certificate is being served, that intermediate certificates are included (a missing intermediate breaks many clients), and that the SAN list covers every hostname you serve.
Frequently asked questions
What is a SAN domain?
Subject Alternative Names list every hostname a certificate is valid for, e.g. example.com and www.example.com. Browsers only check SANs (not the legacy Common Name), so any hostname you serve must appear in the SAN list.
Why does my certificate work in browsers but fail elsewhere?
Almost always a missing intermediate certificate. Browsers cache intermediates and can fill the gap, but strict clients (curl, Java, mail servers, mobile apps) require the server to send the complete chain. Check the chain section of the results.
When should I renew my certificate?
Automate renewal if possible (Let's Encrypt certificates last 90 days and renew automatically). For manually managed certificates, renew at least 14 days before expiry and monitor the days-remaining figure so an expired certificate never takes your site down.