Ttooleras
🔒

SSL Certificate Checker

Web Tools

Check SSL/TLS certificate validity, expiration, issuer, cipher suites, and chain details for any HTTPS domain.. Free, private — all processing in your browser.

How this works

Queries go from your browser to crt.sh, a free Certificate Transparency log search. Same data your browser could fetch directly. Tooleras doesn't see the query or proxy the request. This tool shows certificates that were issuedfor a hostname — not necessarily what's currently being served.

Try a sample:
What this tool does not do
  • CT logs show issued certs, not deployed certs. A cert can be issued yesterday and never actually put in front of traffic. To verify what's actually being served, use openssl s_client -connect host:443 -servername host.
  • CDNs serve shared edge certs. Sites behind Cloudflare, Akamai, or Fastly may be protected by a multi-tenant cert that won't appear in CT under the origin hostname.
  • Private CAs don't log to CT. Internal certs from ADCS or self-signed certs aren't visible here at all.
  • No TLS grade, cipher suite, or vulnerability analysis — that requires a deeper scan that takes 30-60 seconds. A separate SSL Labs-backed tool is planned.
Advertisement

The SSL Checker analyzes any HTTPS website\u2019s SSL/TLS certificate and reports everything you need to know: validity dates, issuer, subject, Subject Alternative Names (SANs), cipher suites, protocol versions supported, and certificate chain completeness. SSL/TLS certificates are the foundation of HTTPS; an expired or misconfigured cert breaks the site for visitors. Monitoring and validating certificates is a routine task for site administrators, security engineers, and anyone managing web properties.

Enter any domain and the tool fetches the certificate directly from the server and reports: certificate validity (not-before and not-after dates), issuer (Let\u2019s Encrypt, DigiCert, Sectigo, etc.), subject and all SANs (which domains the cert covers), signature algorithm, key size, cipher suites supported, TLS protocol versions, and chain completeness (whether intermediate certificates are included). Warnings flag expiring certificates (under 30 days), weak ciphers, outdated protocols (TLS 1.0 and 1.1), missing intermediates, and hostname mismatches. All analysis runs via public API calls to certificate transparency logs and direct probes.

SSL Certificate Checker — key features

Full certificate details

Issuer, subject, SANs, validity dates, signature algorithm, key size — all displayed clearly.

Expiration warning

Flags certificates expiring in the next 30 days so you can renew before they break.

Chain validation

Verifies intermediate certificates are included and the chain is complete to a trusted root.

Cipher and protocol

Lists supported TLS versions and cipher suites with weakness warnings.

HSTS check

Reports whether the server sends Strict-Transport-Security and its configuration.

SAN coverage

Lists all domain names covered by the certificate to detect scope issues.

Certificate Transparency

Optional lookup in CT logs to find all issued certs for the domain.

Grade and rating

Composite score reflecting overall security posture.

How to use the SSL Certificate Checker

  1. 1

    Enter domain

    Type any HTTPS domain (example.com) into the input field.

  2. 2

    Start scan

    Click scan — the tool connects to the server and fetches the certificate.

  3. 3

    Review validity

    Check the expiration date first; renewal is urgent if under 30 days.

  4. 4

    Check chain and protocols

    Verify intermediate certs are sent and modern TLS versions are supported.

  5. 5

    Address warnings

    Fix any flagged issues: weak ciphers, missing intermediates, or protocol downgrade support.

Common use cases for the SSL Certificate Checker

Site administration

  • Pre-expiry checks: Monitor certificate expiration to renew before downtime. Set reminders based on expiry date the tool reports.
  • Post-renewal verification: After rotating certificates, verify the new cert is live and the chain is complete.
  • Migration verification: Confirm certificates work correctly on new servers during migration.

Security

  • Security audit: Verify all company web properties support TLS 1.2+, strong ciphers, and valid certificate chains.
  • Phishing investigation: Check suspicious sites’ certificates to identify CA and issuance history.
  • PCI DSS compliance: Confirm no TLS 1.0/1.1 is supported as required by PCI DSS v3.2+.

Development

  • CI/CD verification: Automated checks after deploys to confirm HTTPS is intact before traffic cuts over.
  • Debugging connectivity: When clients report certificate errors, the tool shows exactly what the server presents.
  • Third-party integration: Verify API and webhook endpoints have valid TLS before pointing production at them.

SSL Certificate Checker — examples

Valid cert

Typical well-configured site.

Input
example.com
Output
issuer: DigiCert Inc.
valid: 2024-01-15 to 2025-01-14 (expires in 254 days)
SANs: example.com, www.example.com
protocol: TLS 1.2, TLS 1.3
key: RSA 2048-bit
grade: A+

Expiring soon

Certificate needing renewal.

Input
oldsite.example.com
Output
warning: expires in 12 days
valid: 2024-02-15 to 2024-05-17
action: renew immediately to avoid downtime

Weak ciphers

Site supporting outdated protocols.

Input
legacy.example.com
Output
warning: supports TLS 1.0 (deprecated)
supports weak cipher: RC4
grade: C
action: disable TLS 1.0, 1.1 and weak ciphers

Let’s Encrypt

Free LE cert with 90-day validity.

Input
blog.example.com
Output
issuer: Let’s Encrypt Authority X3
valid: 90 days from issue
auto-renewal: typically configured in certbot or similar

Missing intermediate

Chain incomplete.

Input
badcert.example.com
Output
warning: intermediate CA missing
impact: some clients (older Android) cannot verify
fix: configure server to send the full chain

Technical details

SSL/TLS certificates are X.509 structures signed by Certificate Authorities. Key fields:

Validity: notBefore and notAfter dates. Modern certs are 90 days (Let\u2019s Encrypt default) or up to 1 year (paid CAs). Browsers warn on expired certs; many services break outright.

Subject: the domain(s) the cert is for. CN (Common Name) field plus SubjectAlternativeNames extension. Modern certs rely on SAN because CN is deprecated.

Issuer: the CA that signed the cert. Let\u2019s Encrypt is most common for small sites; DigiCert, Sectigo, GoDaddy for enterprise.

Chain: cert → intermediate CA → root CA. The server must send the cert and intermediates; the browser has root CAs built in. Missing intermediates cause \"unable to verify\" errors in some clients (particularly older Android and custom HTTP clients).

Signature algorithm: SHA-256 is current. SHA-1 is deprecated and rejected by modern browsers.

Key size and algorithm: RSA 2048+ or ECDSA 256+ bits. Weaker keys are rejected.

TLS versions: TLS 1.2 is minimum for modern security. TLS 1.3 is current best. TLS 1.0 and 1.1 are deprecated (PCI DSS forbids them since 2018).

Cipher suites: the algorithms used for encryption, authentication, and MAC in TLS. Modern strong suites: AES-GCM, ChaCha20-Poly1305. Weak: RC4, 3DES, export-grade cipher. The tool flags weak suites.

HSTS (Strict-Transport-Security): HTTP response header telling browsers to always use HTTPS. Not part of the cert but critical for security posture.

Certificate Transparency: all certs are logged in public CT logs. Browsers require CT for Chrome-trusted certs. The tool can query CT logs to find all certs ever issued for a domain.

Grade (A+/A/B/C/D/F): composite score based on protocol, cipher, key strength, and known vulnerabilities. SSL Labs\u2019 grading is the canonical reference.

Common problems and solutions

Expiration surprise

Let a cert expire and your site breaks. Always monitor expiry dates and renew with plenty of margin. Let’s Encrypt automated renewal handles most cases; manual certs need calendar reminders.

Chain incomplete

Server must send all intermediate CAs. Let’s Encrypt certbot often handles this; other setups may not. Use the tool to verify chain completeness after any cert change.

Weak ciphers supported

Disable TLS 1.0, 1.1, and weak ciphers (RC4, 3DES, export-grade). Modern configurations should support only TLS 1.2 and 1.3 with AES-GCM and ChaCha20.

HSTS not configured

Add Strict-Transport-Security header to force HTTPS. Consider HSTS preload for high-security sites. The tool shows whether the header is present.

Certificate hostname mismatch

The cert must cover the exact hostname the client requests. SAN field must include all hostnames. Mismatches cause browser errors.

Outdated signature algorithm

SHA-1 certs are rejected by modern browsers. SHA-256 is the minimum. Any cert still using SHA-1 must be re-issued.

PCI DSS non-compliance

Payment-processing systems must support only TLS 1.2+. TLS 1.0 and 1.1 violate current PCI DSS requirements. Check and disable legacy protocols.

SSL Certificate Checker — comparisons and alternatives

Compared to SSL Labs\u2019 SSL Test, this tool is faster for quick checks with the same core information. SSL Labs provides more detail and a more thorough vulnerability scan; use it for deep audits.

Compared to openssl s_client command line, this tool has a web UI with clearer formatting and automated warnings. CLI is better for scripting and automation; this tool for interactive checks.

Compared to paid certificate monitoring services (DigiCert, Sectigo dashboards), this tool is for ad-hoc checking rather than continuous monitoring. Use monitoring services for production alerting.

Frequently asked questions about the SSL Certificate Checker

How do I check if my SSL certificate is valid?

Enter your domain and click scan. The tool fetches the certificate and shows the validity dates, issuer, and any warnings. A valid cert should have a future expiration date, a trusted issuer, and cover your exact domain.

How often should I check my SSL certificate?

At least monthly for critical domains, or set up automated monitoring that alerts before expiration. Let’s Encrypt’s 90-day lifespan means automatic renewal is essential; check weekly if manual renewal is your process.

What is a good SSL grade?

A or A+ is standard for well-configured sites. Grade B means minor issues. C and below indicate real security problems. Aim for A+ by supporting only modern TLS 1.2/1.3, strong ciphers, and having HSTS configured.

What does "chain incomplete" mean?

The server must send the certificate AND intermediate CA certificates so clients can verify the chain up to a trusted root. Missing intermediates cause some clients (older Android, custom HTTP clients) to reject the cert. Configure your server to send the full chain.

Should I disable TLS 1.0 and 1.1?

Yes, for modern security. Both are deprecated, have known vulnerabilities (BEAST, POODLE), and are forbidden by PCI DSS. Only disable them if you’re sure no critical legacy clients need them — test thoroughly before disabling.

What is HSTS?

HTTP Strict Transport Security. A header (Strict-Transport-Security) that tells browsers to always use HTTPS for this domain, even when users type http:// or click http links. Critical for preventing downgrade attacks. Once set with long max-age, browsers remember the directive.

Why does my certificate work in browsers but not in my app?

Browsers have up-to-date CA lists and handle chain reconstruction. Native apps and older HTTP clients may not. If the chain is incomplete (server doesn’t send intermediates), browsers often work via AIA fetching while older clients fail. Always include full chain on the server.

Can I check my site's certificate without exposing private data?

Yes. The tool only fetches the public certificate and reports its details. No private keys, no credentials, no request bodies. Safe to use even for sensitive internal services (as long as you can reach them from the internet or the tool’s probe point).

Additional resources

Advertisement

Related tools

All Web Tools
🔗

Broken Link Checker

Scan any webpage or sitemap for broken links, 404 errors, excessive redirect chains, and mixed-content issues. Get detailed response reports and fix suggestions for SEO and UX.

🔍

DNS Lookup

Query DNS records for any domain — A, AAAA, MX, TXT, CNAME, NS, SOA, CAA — with resolver path and TTL details.

🔐

Hash Generator

Generate MD5, SHA-1, SHA-256, SHA-512 hashes for text and files

📋

HTTP Headers Lookup

Complete reference for HTTP request and response headers with usage examples, RFC references, and common values.

📡

HTTP Status Code Reference

Complete reference for every HTTP status code with meaning, usage guidelines, and examples for REST API design.

🌐

IP Address Lookup

Look up IP address details including approximate location, ISP, organization, ASN, timezone, and reverse DNS.

Learn more

Understanding Hash Functions: MD5, SHA-256, and When to Use Each

18 min read

How to Resize Images Without Losing Quality: A Complete Guide

22 min read

PNG vs JPG vs WebP: Which Image Format Should You Use?

20 min read

Explore more tools

200+ free tools that run in your browser.

Browse all tools →