Skip to content
snip tools

SSL certificate checker

See a site's certificate issuer, validity dates and expiry — from public CT logs.

Sourced from public Certificate Transparency logs. Queries are not stored.

How to check an SSL certificate

  1. Enter a host. Type a domain like example.com.
  2. Check the certificate. We look up its most recent certificate in public CT logs.
  3. Read the details. See the issuer, validity dates, days to expiry and covered domains.

What a certificate actually proves

A TLS certificate (still widely called "SSL") does two jobs at once: it carries the public key that encrypts traffic between the browser and the site, and it carries a claim of identity — "this key belongs to example.com" — signed by a Certificate Authority the browser already trusts. The browser believes that claim only if it can build a chain from the site's certificate, through one or more intermediate CA certificates, up to a root in its trust store. That's why a certificate can be perfectly valid yet still throw an error: if the server forgets to send the intermediate, some clients can't complete the chain.

The two failures you'll actually hit

In practice almost every certificate problem is one of two things. Expiry: certificates are short-lived now (often 90 days), so a renewal that silently fails to deploy produces a hard browser warning on the expiry date — this checker shows the exact "not after" timestamp so you can renew ahead of it. Name mismatch: the certificate must list the exact host being visited in its Subject Alternative Name (SAN) list — a cert for example.com does not automatically cover www.example.com or api.example.com unless those names are on the SAN list. Reviewing the full SAN list here is how you confirm coverage before users hit the error.

Read from CT logs, not a live handshake

Rather than open a connection to the host, this tool reads the most recent certificate from public Certificate Transparency logs (Cert Spotter, with crt.sh as a fallback) via our server — the same append-only logs every CA is required to publish to. That makes the lookup work even for hosts you can't reach directly, and it doubles as a way to audit what's been issued for a domain. The one caveat to know: CT shows the latest issued certificate, which is normally what's being served but can differ if a newer cert hasn't been deployed yet. Nothing you enter is stored. To inspect the security headers a site sends, use the HTTP header checker.

Frequently asked questions

What does this SSL checker show?
The most recent, currently-valid TLS certificate for the host — its issuer, the validity window, days until expiry, and the domains it covers (SAN list).
Where does the certificate data come from?
From public Certificate Transparency logs — primarily SSLMate’s Cert Spotter, with crt.sh as a fallback. Every publicly-trusted certificate is logged there, so we can show issuer and validity without needing to open a live connection from your browser.
Will it tell me if my certificate is about to expire?
Yes. We show the expiry date and the number of days left, so you can renew before it lapses.
Does it check the full certificate chain?
It reports the leaf certificate’s details from CT logs. For a live handshake test of the full chain and protocols, a server-side scanner that connects directly is the better tool.
Is my lookup stored?
No. The host is sent to our server, which queries the public CT logs and returns the result. Nothing is saved.