All tools
Free Tool

SSL Certificate Checker

Enter any domain to inspect its SSL certificate. See the issuer, expiry date, days remaining, certificate chain, protocol, and cipher strength - instantly.

What this tool checks

This free SSL checker connects to your domain over TLS, extracts the certificate, and inspects it for common issues. Here's what it reports:

Expiry date & days remaining
Certificate issuer (CA)
Certificate chain validity
Subject & SANs (covered domains)
TLS protocol version
Cipher suite & strength
SHA-256 fingerprint
Serial number

Why SSL certificates expire

SSL/TLS certificates have a maximum validity period - currently 397 days for publicly trusted certificates. When a certificate expires, browsers show a security warning and most users leave immediately. Auto-renewal services like Let's Encrypt reduce this risk, but they fail silently more often than expected - expired payment methods, DNS validation failures, and misconfigured renewal hooks all cause certificates to lapse without warning.

Manual checks vs. continuous monitoring

This tool gives you a point-in-time snapshot of your certificate's health. For production services, you need continuous monitoring that checks automatically and alerts your team days or weeks before expiry. Vantaj monitors your SSL certificates 24/7 and sends alerts at 90, 60, 30, 7, and 1 day before expiry - so renewals never slip through the cracks.

Frequently asked questions

How does this SSL checker work?
The tool connects to your domain over TLS (port 443 by default), performs a full handshake, and extracts certificate details from the server response - the same process a browser uses. No agents or server access required.
Can I check certificates on non-standard ports?
Yes. Enter the domain with a port number, for example api.example.com:8443, and the checker reads the certificate served on that port.
What does "chain invalid" mean?
A certificate chain connects your server certificate to a trusted root CA through one or more intermediates. A missing or expired intermediate causes browser security warnings even when your leaf certificate is valid. This is one of the most common SSL issues in production.
How often should I check my SSL certificates?
For a manual spot check, once a month is enough. For production services, automated monitoring that checks daily and alerts you before expiry is safer. Vantaj starts alerting 90 days before expiry.
Is this tool free?
Free, no account required. For continuous automated monitoring with expiry alerts, Vantaj's free plan covers up to 20 domains.

What does this SSL checker look for?

The checker runs five verifications every time you scan a domain:

  • Certificate present - confirms the server returned a valid TLS certificate during the handshake.
  • Chain complete - checks that every intermediate certificate between your server cert and a trusted root CA is present and correctly ordered.
  • Expiry date - shows exact expiry and days remaining so you can act before browsers show "Your connection is not private."
  • Hostname match - verifies the certificate's Subject Alternative Names (SANs) include the domain you checked. A mismatch triggers an immediate browser error.
  • Protocol and cipher - identifies the TLS version (TLS 1.2 or 1.3) and cipher suite. TLS 1.0 and 1.1 are deprecated; browsers reject them.

What is a certificate chain - and why does it matter?

A certificate chain links your server certificate back to a root Certificate Authority (CA) that browsers trust by default. The chain typically has three levels:

  1. 1. Root CA - a self-signed certificate pre-installed in every browser and OS. You never deploy this yourself.
  2. 2. Intermediate CA - issued by the root, used to sign your server certificate. Most CAs use one or two intermediates to keep the root offline.
  3. 3. Server certificate - the cert tied to your domain, issued by the intermediate CA.

If your server does not send the intermediate certificates alongside the server cert, some clients (older mobile browsers, curl, monitoring tools) cannot complete the chain and will reject the connection - even though the cert itself is valid. This is the most common SSL misconfiguration in production.

DV, OV, and EV certificates - what is the difference?

TypeValidationIssuance timeBest for
DV (Domain Validated)Proves domain ownership only (DNS or file challenge)MinutesPersonal sites, APIs, dev environments
OV (Organization Validated)Verifies the legal organization behind the domain1–3 daysBusiness websites, SaaS products
EV (Extended Validation)Full legal and operational vetting of the organization1–2 weeksBanks, e-commerce, high-trust applications

All three provide the same encryption strength. The difference is identity assurance - how much the CA verified about who operates the domain. Let's Encrypt issues DV certificates automatically; OV and EV require manual document review.

Why do SSL certificates expire?

Certificate lifetimes exist to limit the window during which a compromised private key can be exploited. If certificates never expired, a stolen key from a breach years ago would remain valid indefinitely.

The industry has progressively shortened maximum lifetimes: from 5 years (pre-2015) to 2 years (2018) to 1 year (2020). Apple, Google, and Mozilla now enforce a 47-day maximum in their browsers starting 2026, and further reductions to 10 days are under active discussion.

For production services, manual renewal is no longer realistic at these timescales. Automated renewal via ACME (Let's Encrypt, ZeroSSL) or a certificate manager (AWS ACM, Cloudflare) is the current standard. Vantaj monitors your certificate expiry and alerts you 90, 30, 7, and 1 day before it expires as a safety net on top of automation.

How to fix common SSL certificate errors

ERR_CERT_DATE_INVALID - certificate expired

Renew the certificate through your CA or certificate manager. If auto-renewal is configured, check that the renewal job ran and that the new cert was deployed. The most common cause of "auto-renewal" failures is the ACME challenge failing due to a firewall rule or load balancer misconfiguration.

ERR_CERT_COMMON_NAME_INVALID - hostname mismatch

The certificate's SANs do not include the domain you are accessing. Either request a new certificate that covers the domain, or check that your server is serving the correct certificate for the hostname (common problem when one server hosts multiple domains).

ERR_CERT_AUTHORITY_INVALID - untrusted certificate

The certificate chain is incomplete or the root CA is not trusted. Check that your server sends all intermediate certificates. Use this checker - if the chain shows as invalid, download the intermediate from your CA's website and add it to your server configuration.

Mixed content warnings

The page loads over HTTPS but embeds resources (images, scripts, iframes) over HTTP. These are blocked in modern browsers. Search your codebase for hardcoded http:// URLs and replace them with protocol-relative // or https:// equivalents.