SSL Certificate Checker
Verify any domain's SSL/TLS certificate — expiry, issuer, SANs, key type, and validity
Enter a domain name. The protocol and path are stripped automatically.
Try:
Frequently Asked Questions
An SSL (Secure Sockets Layer) certificate — more accurately called a TLS (Transport Layer Security) certificate today — is a digital certificate that authenticates a website's identity and enables encrypted communication. It binds a domain name to an organization's identity and a public key. When a browser connects to a server with SSL, it verifies the certificate before establishing a secure HTTPS connection.
SSL certificates have a limited validity period (typically 90 days to 1 year). When a certificate expires, browsers display a security warning and block access to the site. Expired certificates do not protect communications. Website administrators must renew certificates before they expire. Services like Let's Encrypt offer free 90-day certificates with auto-renewal.
Subject Alternative Names (SANs) are a certificate extension that allows a single SSL certificate to cover multiple domain names. For example, a certificate for
example.com might also cover www.example.com, mail.example.com, and *.example.com (wildcard). Modern browsers require SANs — the Common Name (CN) field alone is no longer accepted as valid.
DV (Domain Validated): Only verifies domain ownership. Fast and cheap/free (Let's Encrypt). Good for personal sites.
OV (Organization Validated): Verifies the domain and the organization behind it. Better for businesses.
EV (Extended Validation): Most rigorous — verifies legal identity of the organization. Previously showed a green bar in browsers; now shown in cert details.
OV (Organization Validated): Verifies the domain and the organization behind it. Better for businesses.
EV (Extended Validation): Most rigorous — verifies legal identity of the organization. Previously showed a green bar in browsers; now shown in cert details.
A wildcard certificate uses an asterisk (*) in the domain to cover all subdomains at one level. For example,
*.example.com covers www.example.com, api.example.com, mail.example.com, etc., but not sub.api.example.com (two levels deep). Wildcard certs save money when you need to secure many subdomains.A certificate is "not trusted" when it is not issued (or not chained) to a Certificate Authority (CA) that the browser trusts. This can happen with self-signed certificates, certificates from unknown CAs, or if the intermediate certificate chain is incomplete. Browsers maintain a list of trusted root CAs; any cert that can't be traced back to a trusted root is flagged as untrusted.
About This SSL Checker
This free SSL Certificate Checker connects directly to the target server on port 443 and retrieves the SSL/TLS certificate in real time. It shows the certificate's common name, organization, issuer (Certificate Authority), validity dates, days remaining, subject alternative names (SANs), key type and size, and signature algorithm. The tool checks whether the certificate chain validates correctly against trusted root CAs.
Common Certificate Authorities
| CA | Type | Notes |
|---|---|---|
| Let's Encrypt | DV | Free, 90-day, auto-renew |
| DigiCert | DV/OV/EV | Premium, widely trusted |
| Sectigo | DV/OV/EV | Formerly Comodo |
| GlobalSign | DV/OV/EV | Enterprise focus |
| ZeroSSL | DV | Free 90-day certs |
| Amazon ACM | DV | Free for AWS services |
SSL Certificate Status Guide
| Status | Meaning |
|---|---|
| Valid | Certificate is current and trusted |
| Expiring Soon | Expires within 30 days |
| Expired | Certificate has expired |
| Untrusted | Chain not trusted by browsers |
| Self-Signed | Not issued by a public CA |
