SSL Certificate Checker
Inspect the SSL/TLS certificate chain, expiry date, key strength, and security configuration for any HTTPS-enabled website.
Checking…
Recently checked sites
Live samples of sites scanned through this tool. Click any to see its full report for that site.
What is an SSL/TLS certificate?
An SSL/TLS certificate enables encrypted HTTPS connections between a browser and a web server. It verifies the server's identity and ensures that data in transit cannot be intercepted or modified.
What TLS version should my site use?
TLS 1.3 is the current best practice — it is faster (1-RTT handshake vs 2-RTT for TLS 1.2) and uses only modern, secure cipher suites. TLS 1.2 is still acceptable. TLS 1.0 and 1.1 are deprecated and insecure.
What this tool checks
We probe the live TLS handshake and grade every field the browser sees: certificate validity (not-before / not-after windows), hostname match against the requested SAN, the issuing chain and whether all intermediate certificates are served, the negotiated cipher suite and forward-secrecy support, the agreed TLS protocol version (1.2 minimum / 1.3 preferred), the public-key algorithm and size (RSA 2048+, ECDSA P-256+), the signature algorithm (SHA-256+ required), OCSP stapling presence, and SAN coverage versus the registered domains. The whole probe runs from a real TLS client against the live socket — no relying on cached scan data — so the result reflects what a visitor's browser is seeing right now, including any difference between the apex and www-prefixed names. The chain depth and any cross-signing oddities are surfaced explicitly so an issue can be traced to the exact link in the trust path.
How we grade the result
Each axis maps to a discrete grade: pass (within current best-practice), warning (works today but at risk: expiring within 30 days, TLS 1.2 with no 1.3, RSA 2048 with no rotation plan, missing OCSP stapling), or critical (broken in current browsers: expired, hostname mismatch, self-signed in production, TLS 1.0 / 1.1 still enabled, MD5 / SHA-1 signature). The composite weighting favors immediate-impact failures over hygiene findings — an expired cert is worth more than a missing stapling response — but every axis is surfaced separately so you can see exactly what to fix. The grading rules are the same evaluator that drives the full BeaverCheck audit's security column, so the verdict here matches what the full audit would say for the same site.
Common findings on real sites
Across the public scan corpus four patterns dominate. First, expiring-soon certificates that nobody noticed: many sites get a cert renewed quarterly but lose visibility on the window between renewal and rotation — the auto-renewal cron didn't run, or it ran but didn't deploy. Second, missing intermediates: the leaf certificate is fine but the server only ships the leaf, so iOS / older Android / strict embedded clients fail to validate the chain even when desktop browsers succeed (which silently masks the bug). Third, TLS 1.0 / 1.1 still enabled — usually because the server config defaults to 'all available' and the SecOps team never explicitly disabled the legacy versions. Fourth, RSA-only key exchange (no ECDHE), which means no forward secrecy: a future private-key compromise would retroactively decrypt every captured session. A site that passes all four checks ranks in the top quartile of the corpus, which is a stronger signal than any single axis in isolation.
How to fix the most common issues
For free renewals at scale, certbot + Let's Encrypt + a cron entry (or systemd timer) covers most cases — most distros now ship a working --webroot or --nginx plugin. For server cipher configuration, use the Mozilla SSL Configuration Generator: pick 'Intermediate' (good default) or 'Modern' (TLS 1.3 only, drops some legacy clients), paste the output. For missing intermediates, your CA's portal exports a 'full chain' or 'fullchain.pem' file — serve THAT in your nginx ssl_certificate directive, not the leaf alone. To verify the chain after a fix: 'openssl s_client -connect host:443 -showcerts' and confirm every certificate in the chain is present. For OCSP stapling on nginx: ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /path/to/chain.pem; resolver 8.8.8.8 valid=300s;. To eliminate the http→https hop entirely, add HSTS with includeSubDomains and preload, then submit to the HSTS preload list.
Why TLS quality matters
TLS quality is the difference between 'encrypted in transit' and 'reliably authenticated'. An expired cert produces a full-page browser warning on every visit, which kills conversion. A weak cipher suite or TLS 1.0 leaves the connection open to passive eavesdropping on hostile networks (coffee-shop Wi-Fi, hotel networks, ISP-level surveillance). Missing forward secrecy (no ECDHE) means a future private-key leak retroactively decrypts every recorded session — a real attack pattern against organizations that rotate certs but never rotate keys. Missing OCSP stapling forces every client to fetch revocation status from the CA on first connection, adding latency and a third-party dependency. And Google's ranking signal explicitly favors HTTPS — sites with TLS issues get a softer rank than the same content on a clean cert. None of this requires expensive infrastructure: a Let's Encrypt cert, a modern cipher config, and HSTS get a site from average to top-quartile in an afternoon.
Frequently Asked Questions
Enter your website URL above. The tool will connect to your server, inspect the TLS certificate, and show the exact expiry date with a countdown. Certificates from Let's Encrypt expire every 90 days; commercial certificates typically last 1-2 years.
TLS 1.3 is the current best practice — it is faster (1-RTT handshake vs 2-RTT for TLS 1.2) and uses only modern, secure cipher suites. TLS 1.2 is still acceptable. TLS 1.0 and 1.1 are deprecated and insecure — all major browsers have removed support.
ECDSA P-256 is recommended for new certificates. It provides equivalent security to RSA 3072-bit with much smaller key sizes, resulting in faster TLS handshakes and smaller certificates. Most CAs (Let's Encrypt, DigiCert) support ECDSA.
Related free tools
Other instant single-purpose checks from the same audit engine. All free, no signup, results stay at a permanent URL.