What does the SSL checker verify?

The SSL checker retrieves certificate data from crt.sh Certificate Transparency logs and shows the certificate's issuer, validity period, expiry date, subject alternative names (SANs), and how many days remain until expiration.

What happens when an SSL certificate expires?

When a certificate expires, browsers display a security warning preventing users from accessing the site. Search engines may delist the page. Email clients may reject mail from the domain. Renewal should happen at least 30 days before expiry.

What is a Certificate Transparency log?

Certificate Transparency is a system where all publicly trusted SSL certificates must be logged in public, auditable databases. This allows anyone to see every certificate issued for a domain and detect unauthorized certificates.

What are Subject Alternative Names in an SSL certificate?

Subject Alternative Names (SANs) are additional domain names covered by a single certificate. A SAN certificate for example.com might also cover www.example.com, mail.example.com, and api.example.com under one certificate.

All tools

SSL Certificate Checker

Is that certificate valid and when does it expire?

Check any domain's SSL/TLS certificate: expiry date, issuer, common name, and Subject Alternative Names. Useful before deployments and for monitoring.

Enter a domain to check its SSL certificate

Try your own domain or any website

What is an SSL certificate and why does it expire?

An SSL/TLS certificate does two things: it proves a site is who it says it is, and it encrypts the connection between your browser and the server. Without one, you'd see "Not Secure" in the address bar and any data you send could be intercepted.

Certificates expire because shorter validity periods force regular renewal and reduce the window for a compromised cert to cause damage. As of 2023, major CAs issue certs for a maximum of 398 days. Many organizations now use automation (Let's Encrypt + certbot or cert-manager) to renew every 60-90 days.

An expired cert doesn't mean the site is insecure, it just means the cert hasn't been renewed. Browsers still block you by default because they can't trust that the cert holder is still who they say they are.

Certificate Transparency (CT) logs

This tool queries crt.sh, which aggregates data from Certificate Transparency logs. CT is a public, append-only ledger of every SSL certificate ever issued. All major CAs are required to submit certs to these logs.

This means you can see all certs ever issued for a domain, including old ones. It's useful for security research and for spotting unexpected certificates (which could indicate a compromise).

Common questions

What are Subject Alternative Names?

SANs let a single certificate cover multiple domains or subdomains. A wildcard cert for *.example.com covers www, api, mail, etc. A cert with multiple SANs is called a multi-domain or SAN certificate.

What's the difference between DV, OV, and EV certificates?

DV (Domain Validated) just confirms you control the domain. OV (Organization Validated) also verifies your organization. EV (Extended Validation) goes further with a legal identity check. Most modern sites use DV via Let's Encrypt. EV used to show a green bar in browsers but that was removed in 2019.

Why does my cert show an issuer I don't recognize?

Certificate authorities use intermediate certificates rather than signing directly with their root. So your cert might show "Let's Encrypt R10" or "DigiCert SHA2 Secure Server CA" as the issuer even though the root CA is Let's Encrypt or DigiCert.