Instantly check the SSL/TLS certificate of any website — expiry, issuer, domain coverage and trust status. Free, no sign-up needed.
An SSL/TLS certificate does two things simultaneously. First, it enables the encrypted TLS tunnel between a visitor's browser and your server, so passwords, payment details and session tokens can't be intercepted in transit. Second, it authenticates your server — when a browser connects, it verifies the certificate against a list of trusted Certificate Authorities (CAs) built into the OS or browser, confirming it's talking to the genuine owner of the domain and not an impersonator.
Both functions matter independently. A certificate can be technically valid (encryption works) yet still trigger browser warnings if the CA isn't trusted, the domain doesn't match, or the certificate has expired. This checker tests all four failure modes in one go. For a complete picture of a site's security posture, pair this with our HTTP Headers tool to verify HSTS is active, and our DNS Lookup to confirm the domain is pointing where you expect.
For the vast majority of websites, Let's Encrypt is the best choice — it's free, automated, trusted by every major browser, and renews every 90 days via ACME clients like Certbot or built-in hosting panel integrations. The 90-day validity window is intentional: short lifetimes reduce the exposure window if a private key is ever compromised.
Paid certificates from commercial CAs offer Organisation Validated (OV) or Extended Validation (EV) tiers, which include verified company identity in the certificate details panel. Most modern browsers have removed the green address bar for EV certificates, so the practical security difference for typical websites is minimal. OV/EV certificates remain relevant for compliance requirements in finance, healthcare and government sectors. After installing any certificate, verify it's serving correctly here and confirm your domain's DNS is resolving to the right server via our DNS Lookup.
Certificate expired: Renew immediately. If you're using Let's Encrypt, check why auto-renewal failed — the most common causes are a changed server IP (firewall blocking port 80 for the ACME challenge) or a DNS change that broke domain validation. After renewing, confirm the new certificate is live here.
Domain mismatch: The hostname isn't in the certificate's Subject Alternative Name list. Reissue the certificate including all hostnames pointing to your server. Before reissuing, use our DNS Lookup to see every A and CNAME record so you don't miss any subdomains. Also confirm the domain registration is current with our WHOIS Lookup.
Untrusted certificate: Self-signed, or issued by a private CA not in browser trust stores. Replace with a publicly-trusted CA. If the site is internal-only, install your private root CA certificate on all client devices as an alternative.
Connection refused: Port 443 may be closed or SSL not configured on the server. Use our Port Checker to test port 443, and our Ping Test to confirm basic host reachability.
Every modern certificate uses the Subject Alternative Name extension rather than the Common Name to define which hostnames it covers. A single certificate can list dozens of domains and subdomains — all verified by the CA during issuance. Wildcard entries (e.g. *.example.com) cover all immediate subdomains but not deeper levels like api.v2.example.com. The SAN list above shows every name this certificate covers, with your queried hostname highlighted in green if it's included.
When a certificate covers multiple domains from different registrants (called a multi-domain or SAN certificate), a compromise of any one site's private key theoretically exposes all covered domains. This is worth considering when choosing between a shared SAN certificate and individual per-domain certificates for high-security services.