SSL/TLS Certificate Checker
Free SSL certificate checker. Instantly check any domain's TLS certificate expiry date, issuer, Subject Alternative Names (SANs), certificate chain trust, and SHA-256 fingerprint. No login required.
Need long-term key management?
WRVault stores, rotates, and alerts you on JWT keys, mTLS certs, and more — with auto-rotation and Slack/Discord alerts.
About this tool
What does the SSL certificate checker do?
It connects live to your domain on port 443 (or a custom port), retrieves the full TLS certificate chain presented by the server, and reports the expiry date, issuer, Subject Alternative Names (SANs), public key algorithm, key size, signature algorithm, serial number, and SHA-256 / SHA-1 fingerprints for every certificate in the chain.
Does it work for expired or self-signed certificates?
Yes — the checker fetches the certificate regardless of its validity status. It uses a trust-all TLS context to retrieve the chain, then performs a second check against the standard public CA trust store to report whether the chain is publicly trusted.
Why is my certificate showing as untrusted?
The chain is not trusted by the public CA store. Common causes: self-signed certificate, private/internal CA, missing intermediate certificate (incomplete chain), or an expired root. Make sure your web server sends the full chain including any intermediate certificates.
Can I check non-HTTPS ports?
Yes — set the port field to any TLS-enabled port (e.g. 8443, 465, 993, 636). The tool performs a raw TLS handshake so it works for any TLS-secured service, not just HTTPS web servers.
How do I get notified before my SSL certificate expires?
WRVault can monitor your certificates and send you Slack, Discord, or email alerts before they expire. Sign up for a free account and add your domain to the certificate manager — you'll get alerts at 30, 14, and 7 days before expiry.