Free Tool

SSL Certificate Checker

Instantly check any website's SSL certificate. See expiration dates, issuer details, TLS version, and more. Free, no signup required.

What You Get

Here's an example of the SSL certificate details this tool reveals. Try it above with any domain.

A

SSL Certificate Valid

example.com — Expires in 82 days

Subject*.example.com
IssuerLet's Encrypt R3
TLS ProtocolTLSv1.3
Key Size2048 bits
Valid FromJan 15, 2026
Valid UntilApr 15, 2026
Browser TrustedYes
HSTS EnabledYes

The SSL grade is calculated from your TLS protocol version, key strength, and certificate validity. A grade of A means the site uses TLS 1.3 with a strong key and the certificate is not close to expiring. Lower grades indicate outdated protocols like TLS 1.0 or 1.1, weak key sizes, or certificates nearing expiration.

The checker also verifies whether the certificate is trusted by browsers, confirms the domain name matches the certificate subject, and inspects the full certificate chain from the server certificate through intermediates to the root CA. HSTS (HTTP Strict Transport Security) is checked to ensure browsers are forced to use HTTPS, preventing downgrade attacks.

How It Works

1

Enter Domain

Type any domain name or URL. We'll extract the hostname automatically.

2

We Check the Certificate

Our server connects via TLS and retrieves the full SSL certificate chain.

3

See the Results

View certificate validity, issuer, expiration, TLS protocol, and fingerprint instantly.

SSL & TLS Glossary

Plain-language definitions of the terms that show up in any SSL check result.

TLS vs SSL

SSL is the original protocol; it was renamed to TLS at version 3.1 (which became TLS 1.0). Everyone still says SSL, but every modern certificate is technically a TLS certificate. TLS 1.2 and 1.3 are the only versions you should use today.

DV, OV, EV

Domain Validated proves you control the domain (Let's Encrypt is DV). Organization Validated additionally verifies the legal entity. Extended Validation requires the strictest vetting and used to show a green address bar — modern browsers no longer differentiate visually.

HSTS

HTTP Strict Transport Security tells browsers to refuse HTTP for your domain — even on the first visit if you are on the preload list. Eliminates downgrade attacks and the brief window before a redirect to HTTPS.

Certificate chain

Browsers only trust a small set of root CAs. Your leaf certificate is signed by an intermediate, which is signed by a root. The server must send leaf + intermediates so the browser can complete the chain to a trusted root.

Cipher suite

The combination of algorithms used for the connection — key exchange, authentication, bulk encryption, and MAC. TLS 1.3 simplified this to a small set of strong, modern suites; TLS 1.2 still has many legacy options to avoid.

Subject Alternative Name (SAN)

The list of hostnames a certificate is valid for. Modern browsers ignore the legacy Common Name field — only the SAN list matters. A wildcard SAN like *.example.com covers one level (api.example.com but not v1.api.example.com).

Common SSL Certificate Errors

The errors browsers actually throw, what causes them, and how to diagnose with the checker above.

NET::ERR_CERT_DATE_INVALID

Certificate expired or not yet valid

Either your certificate has passed its validTo date, or your machine's clock is wrong. Run the checker above to see the current expiration; if it is in the future, fix the system clock. If it has expired, renew immediately — browsers block the page.

NET::ERR_CERT_AUTHORITY_INVALID

Issuer is not trusted

The certificate is self-signed, issued by an internal CA, or by a CA the browser does not recognise. The chain check above will show whether the issuer is a public CA. For public sites, use Let's Encrypt or another trusted CA.

NET::ERR_CERT_COMMON_NAME_INVALID

Hostname does not match the certificate

The certificate was issued for a different domain than the one being visited. Check the Subject Alternative Names in the result above — your hostname must appear there (a wildcard like *.example.com only covers one level).

ERR_SSL_PROTOCOL_ERROR

TLS handshake failed

Usually a protocol or cipher mismatch — your server is offering only TLS 1.0/1.1 or weak ciphers the browser refuses. Upgrade to TLS 1.2 or 1.3 and disable legacy ciphers.

SEC_ERROR_UNKNOWN_ISSUER

Firefox: unknown issuer

Firefox's equivalent of authority invalid. Common cause: missing intermediate certificate. Make sure your server sends the full chain (leaf + intermediates), not just the leaf.

ERR_CERT_REVOKED

Certificate revoked by the CA

The CA marked this certificate as revoked, often after a key compromise. You must reissue. Until then the site will be blocked in modern browsers.

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

No common protocol or cipher

Client and server cannot agree on a TLS version or cipher suite. Modern browsers no longer support TLS 1.0/1.1 or RC4, 3DES, and similar legacy ciphers — update your server's TLS configuration.

Frequently Asked Questions

This tool connects to any website and retrieves its SSL/TLS certificate details. It shows you the certificate validity, issuer, expiration date, days until expiry, TLS protocol version, and fingerprint — all in real time.

Yes, completely free with no signup required. Just enter a domain and check instantly. There are no daily limits.

An SSL (Secure Sockets Layer) certificate is a digital certificate that authenticates a website's identity and enables an encrypted connection. When you see the padlock icon in your browser, that means the site has a valid SSL certificate.

You should check your SSL certificate at least monthly, or whenever you make changes to your server configuration. For continuous monitoring, exit1.dev offers automated SSL monitoring that checks your certificates with every uptime check and alerts you before they expire.

This shows how many days remain before your SSL certificate expires. Most certificates are valid for 90 days (Let's Encrypt) or 1 year. You should renew before expiration to avoid browser security warnings that will scare away your visitors.

Common reasons include: the certificate has expired, the certificate was issued for a different domain, the certificate chain is incomplete, or the certificate was issued by an untrusted authority. Check the error message for specific details.

TLS 1.2 and TLS 1.3 are considered secure. TLS 1.0 and 1.1 are deprecated and should not be used. TLS 1.3 is the latest version and offers the best security and performance.

Yes! exit1.dev includes automatic SSL monitoring with every website you monitor. You'll get alerts before certificates expire — no manual checking needed. It's included free with all plans.

Learn More About SSL Certificates

Guides and best practices for managing SSL certificates and keeping your sites secure.

How to Check an SSL Certificate

Complete guide to verifying SSL certificates using browsers, command line, and online tools.

SSL Certificate Errors Explained

Every SSL error your browser can throw — what causes it and how to fix it fast.

Free SSL Certificate Monitoring

Set up automated SSL monitoring with alerts before your certificates expire.

SSL Expiration: The Other Deadline

Why SSL certificate expiry deserves the same attention as domain expiration.

Last updated · Built and maintained by exit1.dev — uptime, SSL, and domain monitoring with instant alerts.

Need Continuous SSL Monitoring?

Stop checking manually. exit1.dev monitors your SSL certificates automatically and alerts you before they expire. 10 free monitors. Unlimited with Nano.

Start Free Monitoring
Start Monitoring