Free SSL Checker
Check any domain’s SSL/TLS certificate in seconds — expiry date, days remaining, issuer, chain validity, hostname/SAN match and TLS version. No signup.
Tip: add a port to check mail or custom TLS services, e.g. mail.example.com:465.
What this SSL checker checks
Expiry & days remaining
The notAfter date and exactly how many days are left before clients start rejecting it.
Issuer
Which certificate authority issued the certificate — Let’s Encrypt, Google, DigiCert and others.
Chain validity
Whether the server sends a complete chain or is missing an intermediate certificate.
Hostname / SAN match
Whether the hostname is covered by the certificate’s Subject Alternative Names.
TLS version
The protocol the server negotiated — TLS 1.2 or TLS 1.3.
Serial & SHA-256
The certificate serial number and SHA-256 fingerprint, plus the full SAN list.
Common SSL errors this surfaces
If the check fails, these explainers cover the exact cause and how to fix it.
Check SSL from the command line
Prefer the terminal, or want to automate it? These walk through the openssl commands and how monitoring works.
SSL checker FAQ
What is an SSL checker?
An SSL checker connects to a website over HTTPS, reads the SSL/TLS certificate the server presents, and reports whether it is valid — the expiry date, the issuing certificate authority, whether the certificate chain is complete, whether it matches the hostname, and which TLS version the server negotiated. This one runs from our servers, so there is nothing to install.
How do I check an SSL certificate’s expiration date?
Enter your domain above and read the “Expires” and “Days to expiry” fields — that is the certificate’s notAfter date and the time left before browsers start rejecting it. You can run the same check from the command line with openssl; the guides below show the exact commands.
What does this SSL checker check?
The expiry date and days remaining, the issuing certificate authority, certificate chain validity (whether the server sends its intermediate), hostname and SAN match, the negotiated TLS protocol version, plus the serial number, SHA-256 fingerprint and the full Subject Alternative Name list.
Can I check an SSL certificate on a port other than 443?
Yes. Append the port to the hostname, for example mail.example.com:465 or example.com:8443. That lets you check certificates on mail servers (SMTP on 465/587, IMAP on 993), custom HTTPS ports and other TLS services — not just standard web servers.
Why does the checker say the certificate chain is invalid?
Almost always because the server is sending only its leaf certificate and omitting the intermediate that links it to a trusted root. Browsers sometimes paper over this, but many API clients and older systems do not, causing intermittent failures. Rebuild the served certificate to include the full chain and reload the server.
Why does it say the hostname does not match?
The certificate’s Subject Alternative Name (SAN) list does not include the exact hostname you entered — for example the certificate covers example.com but you checked www.example.com. Reissue the certificate with every hostname you serve, or route the hostname to an endpoint whose certificate already covers it.
Is this SSL checker free, and do I need an account?
It is completely free and no signup is required. If you want certificates watched automatically and to be alerted before one expires, SSLNudge monitors them daily and notifies you well ahead of the deadline.
How is this different from running openssl?
It runs the same inspection as openssl s_client, but from a neutral external vantage point with no install and a readable result. Checking from outside also catches problems — like a missing intermediate — that can look fine on the server itself.
Stop checking by hand
SSLNudge re-checks your certificates daily and alerts you before they expire.