SSL Certificate Checker
Inspect a TLS certificate: issuer, expiry date, subject alternative names, fingerprint, and the negotiated protocol/cipher.
Quick answer: Inspect a TLS certificate: issuer, expiry date, subject alternative names, fingerprint, and the negotiated protocol/cipher.
Last updated
Frequently asked questions
- When does my SSL certificate expire?
- The 'Valid to' field shows the exact UTC expiry date and we also show how many days remain. Renew at least two weeks before that to absorb registry/CA delays.
- How do I check whether a certificate is valid?
- Run the check. A green 'Trusted chain' badge means our resolver could build a chain to a trusted root using the certs the server sent.
- What is a SAN?
- Subject Alternative Name — the list of hostnames a certificate is valid for. Modern certs put every hostname here (the legacy 'Common Name' is ignored).
- What's the difference between DV, OV, and EV?
- DV (Domain Validated) only proves you control the domain. OV (Organization Validated) verifies the legal entity. EV (Extended Validation) does deeper KYC and used to show a green bar — most browsers no longer give EV any UI advantage.
- Why do I get "certificate not trusted"?
- Either the chain is incomplete (server didn't send the intermediate), the cert is self-signed, the root isn't in our store, or the cert is for the wrong hostname.
- What is an intermediate certificate?
- A CA cert that links your leaf cert to a root in browsers' trust store. Web servers must serve these alongside the leaf — most CAs hand you a 'fullchain.pem' that already includes them.
- How do I fix chain issues?
- Replace the cert file on your server with the 'fullchain' version your CA provided. Tools like ssllabs.com can confirm the chain is now complete.
- Can I check the TLS version?
- Yes — the negotiated protocol (TLS 1.2 / TLS 1.3) and cipher are shown in the result header.
- Does it work for subdomains?
- Of course — enter the exact hostname (api.example.com, www.example.com). The SANs section will show every hostname the cert covers.
- Can I export the certificate details?
- Copy the fingerprint and serial directly from the page. For a full PEM dump, use openssl s_client -connect host:443 -showcerts on your terminal.