SSL / TLS Checker
Inspect a site’s TLS certificate — validity, expiry, hostname match, chain trust, protocol version and key strength — with issues and fixes.
What this tool checks
- Validity window — is the certificate active now, and how many days until it expires?
- Hostname match — does the SAN/CN cover the domain (including wildcards)?
- Chain trust — is it signed by a publicly trusted CA, not self-signed?
- Protocol — TLS 1.2 or 1.3 (older versions are flagged).
- Key strength — RSA keys under 2048 bits are flagged.
Common problems and fixes
Certificate expiring soon
Renew now and confirm auto-renewal (ACME/Let’s Encrypt) actually runs — most outages are a renewal that silently failed. Monitoring for this is on the roadmap.
Incomplete chain
A leaf certificate without its intermediates is trusted by some clients but not others. Always install the full chain.
Hostname mismatch
The certificate must list the exact hostname in its SAN. A wildcard covers exactly one label (*.example.com covers www but not a.b.example.com).
Related tools
- HTTP Header Checker — HSTS and other security headers.
- DNS Lookup — including CAA (which CAs may issue for you).
Last reviewed: 2026-07-09.
Frequently asked questions
▸ ▾ What does the SSL checker verify?
Certificate validity and expiry, hostname match, chain trust, the supported TLS versions and the key strength — with fixes for anything failing.
▸ ▾ Why does my cert work in Chrome but fail elsewhere?
Usually an incomplete chain. Serve the full chain (your certificate plus the intermediates); stricter clients don't fetch missing intermediates the way desktop browsers sometimes do.