SSL certificate checker
Inspect a site's TLS certificate: validity, expiry, issuer and chain.
What this check covers
This tool connects to port 443 and reads your site's TLS certificate. It reports whether the certificate is valid, how many days remain before it expires, which hostnames it covers, and which Certificate Authority issued it. An expired or misconfigured certificate means browsers will block visitors with a hard error screen before they ever see your site.
Common certificate problems
Expired— the certificate passed its expiry date. Renew immediately. Most modern hosting handles this automatically.
Hostname mismatch— the certificate does not cover the domain being checked. A common case: a certificate issued for www.example.com but the site also serves example.com without that name in the certificate. The fix is to reissue with both names in the Subject Alternative Name list.
Missing intermediate— the server is not sending the full certificate chain. Browsers that have cached the intermediate may connect fine; others will show an error. Fix by configuring the full chain in your web server.
Expiring soon— certificates under 30 days from expiry are flagged as a warning. Set up auto-renewal so this does not become an emergency.
Wildcards and Subject Alternative Names
A certificate can cover multiple hostnames using Subject Alternative Names. A wildcard like *.example.com covers any one-level subdomain but not the bare domain (example.com) or two levels deep (sub.api.example.com). Most certificates include the bare domain as an explicit SAN alongside the wildcard.
Who issues certificates
Let's Encryptis free and automated. Tools like Certbot renew certificates every 60–90 days without manual work. Most managed hosting platforms do this for you. There is no reason to pay for a standard domain validation certificate.
DigiCert, Sectigo, GlobalSign offer paid certificates including Organisation Validation (OV) and Extended Validation (EV) for companies that want to display a verified organization name.
AWS, Google, Cloudflare issue certificates automatically for services running on their platforms.
TLS and privacy
HTTPS encrypts the content of your requests, so your ISP can see that you connected to a domain but not what you looked at, searched for, or submitted. The domain itself is visible in DNS queries and in the TLS handshake unless DNS-over-HTTPS and Encrypted Client Hello are both in use. For complete privacy at the network level, a VPN encrypts all traffic before it leaves your device.