Crawlsonar

SSL / TLS Checker

Inspect a site’s TLS certificate — validity, expiry, hostname match, chain trust, protocol version and key strength — with issues and fixes.

What this tool checks

  • Validity window — is the certificate active now, and how many days until it expires?
  • Hostname match — does the SAN/CN cover the domain (including wildcards)?
  • Chain trust — is it signed by a publicly trusted CA, not self-signed?
  • Protocol — TLS 1.2 or 1.3 (older versions are flagged).
  • Key strength — RSA keys under 2048 bits are flagged.

Common problems and fixes

Certificate expiring soon

Renew now and confirm auto-renewal (ACME/Let’s Encrypt) actually runs — most outages are a renewal that silently failed. Monitoring for this is on the roadmap.

Incomplete chain

A leaf certificate without its intermediates is trusted by some clients but not others. Always install the full chain.

Hostname mismatch

The certificate must list the exact hostname in its SAN. A wildcard covers exactly one label (*.example.com covers www but not a.b.example.com).

Related tools

Last reviewed: 2026-07-09.

Frequently asked questions

What does the SSL checker verify?

Certificate validity and expiry, hostname match, chain trust, the supported TLS versions and the key strength — with fixes for anything failing.

Why does my cert work in Chrome but fail elsewhere?

Usually an incomplete chain. Serve the full chain (your certificate plus the intermediates); stricter clients don't fetch missing intermediates the way desktop browsers sometimes do.