SSL Certificate Checker
Enter any domain to inspect its SSL certificate. See the issuer, expiry date, days remaining, certificate chain, protocol, and cipher strength - instantly.
What this tool checks
This free SSL checker connects to your domain over TLS, extracts the certificate, and inspects it for common issues. Here's what it reports:
Why SSL certificates expire
SSL/TLS certificates have a maximum validity period - currently 397 days for publicly trusted certificates. When a certificate expires, browsers show a security warning and most users leave immediately. Auto-renewal services like Let's Encrypt reduce this risk, but they fail silently more often than expected - expired payment methods, DNS validation failures, and misconfigured renewal hooks all cause certificates to lapse without warning.
Manual checks vs. continuous monitoring
This tool gives you a point-in-time snapshot of your certificate's health. For production services, you need continuous monitoring that checks automatically and alerts your team days or weeks before expiry. Vantaj monitors your SSL certificates 24/7 and sends alerts at 90, 60, 30, 7, and 1 day before expiry - so renewals never slip through the cracks.
Frequently asked questions
How does this SSL checker work?
Can I check certificates on non-standard ports?
What does "chain invalid" mean?
How often should I check my SSL certificates?
Is this tool free?
What does this SSL checker look for?
The checker runs five verifications every time you scan a domain:
- ✓Certificate present - confirms the server returned a valid TLS certificate during the handshake.
- ✓Chain complete - checks that every intermediate certificate between your server cert and a trusted root CA is present and correctly ordered.
- ✓Expiry date - shows exact expiry and days remaining so you can act before browsers show "Your connection is not private."
- ✓Hostname match - verifies the certificate's Subject Alternative Names (SANs) include the domain you checked. A mismatch triggers an immediate browser error.
- ✓Protocol and cipher - identifies the TLS version (TLS 1.2 or 1.3) and cipher suite. TLS 1.0 and 1.1 are deprecated; browsers reject them.
What is a certificate chain - and why does it matter?
A certificate chain links your server certificate back to a root Certificate Authority (CA) that browsers trust by default. The chain typically has three levels:
- 1. Root CA - a self-signed certificate pre-installed in every browser and OS. You never deploy this yourself.
- 2. Intermediate CA - issued by the root, used to sign your server certificate. Most CAs use one or two intermediates to keep the root offline.
- 3. Server certificate - the cert tied to your domain, issued by the intermediate CA.
If your server does not send the intermediate certificates alongside the server cert, some clients (older mobile browsers, curl, monitoring tools) cannot complete the chain and will reject the connection - even though the cert itself is valid. This is the most common SSL misconfiguration in production.
DV, OV, and EV certificates - what is the difference?
| Type | Validation | Issuance time | Best for |
|---|---|---|---|
| DV (Domain Validated) | Proves domain ownership only (DNS or file challenge) | Minutes | Personal sites, APIs, dev environments |
| OV (Organization Validated) | Verifies the legal organization behind the domain | 1–3 days | Business websites, SaaS products |
| EV (Extended Validation) | Full legal and operational vetting of the organization | 1–2 weeks | Banks, e-commerce, high-trust applications |
All three provide the same encryption strength. The difference is identity assurance - how much the CA verified about who operates the domain. Let's Encrypt issues DV certificates automatically; OV and EV require manual document review.
Why do SSL certificates expire?
Certificate lifetimes exist to limit the window during which a compromised private key can be exploited. If certificates never expired, a stolen key from a breach years ago would remain valid indefinitely.
The industry has progressively shortened maximum lifetimes: from 5 years (pre-2015) to 2 years (2018) to 1 year (2020). Apple, Google, and Mozilla now enforce a 47-day maximum in their browsers starting 2026, and further reductions to 10 days are under active discussion.
For production services, manual renewal is no longer realistic at these timescales. Automated renewal via ACME (Let's Encrypt, ZeroSSL) or a certificate manager (AWS ACM, Cloudflare) is the current standard. Vantaj monitors your certificate expiry and alerts you 90, 30, 7, and 1 day before it expires as a safety net on top of automation.
How to fix common SSL certificate errors
ERR_CERT_DATE_INVALID - certificate expired
Renew the certificate through your CA or certificate manager. If auto-renewal is configured, check that the renewal job ran and that the new cert was deployed. The most common cause of "auto-renewal" failures is the ACME challenge failing due to a firewall rule or load balancer misconfiguration.
ERR_CERT_COMMON_NAME_INVALID - hostname mismatch
The certificate's SANs do not include the domain you are accessing. Either request a new certificate that covers the domain, or check that your server is serving the correct certificate for the hostname (common problem when one server hosts multiple domains).
ERR_CERT_AUTHORITY_INVALID - untrusted certificate
The certificate chain is incomplete or the root CA is not trusted. Check that your server sends all intermediate certificates. Use this checker - if the chain shows as invalid, download the intermediate from your CA's website and add it to your server configuration.
Mixed content warnings
The page loads over HTTPS but embeds resources (images, scripts, iframes) over HTTP. These are blocked in modern browsers. Search your codebase for hardcoded http:// URLs and replace them with protocol-relative // or https:// equivalents.