Free SSL Certificate Checker: How to Check Any SSL Certificate
Check any SSL certificate for free — expiry date, issuer, SANs, chain validity, and TLS version. No installation required.
Free SSL Certificate Checker: How to Check Any SSL Certificate
An SSL certificate checker connects to a website's server, retrieves the SSL/TLS certificate, and displays all its details — expiry date, issuer, coverage, and technical configuration. Use it to verify a certificate is installed correctly, confirm renewal worked, or audit a server's TLS security.
How to Check an SSL Certificate
Using ElasticDomain SSL Checker
- Go to Tools → SSL Decoder.
- Enter the domain name (e.g., example.com).
- Click Fetch Live Certificate.
- All certificate details are displayed instantly.
This makes a real TLS connection to port 443 — exactly what a browser does. What you see is exactly what visitors see.
What Gets Checked
| Field | What to Look For |
|---|---|
| Expiry date | Should be > 30 days from today |
| Issuer | Known CA (Let's Encrypt, DigiCert, Sectigo) |
| Subject Alternative Names | Must include every domain you serve |
| Chain valid | Must be Yes — broken chain causes browser errors |
| Key size | RSA 2048+ or ECDSA P-256 |
| Signature algorithm | SHA-256 (SHA-1 is deprecated) |
| TLS version | TLS 1.2 or 1.3 |
| HSTS | Should be present on production domains |
Common SSL Problems and What to Look For
Certificate expiring soon
Days remaining under 30 — renew now. Let's Encrypt certificates renew automatically at 30 days, but automation can fail silently. Check regularly.
Certificate doesn't cover your domain
Check the SANs list. If www.example.com is missing and you serve traffic on www, browsers show a certificate mismatch error.
Broken certificate chain
If chain valid shows No, your server isn't sending intermediate certificates. Install fullchain.pem instead of cert.pem in your web server configuration.
SHA-1 signature algorithm
Deprecated since 2017. Some older certificates still use SHA-1. Reissue the certificate to get SHA-256.
TLS 1.0 or 1.1 supported
Deprecated protocols. Disable in your server configuration. Only TLS 1.2 and TLS 1.3 should be enabled.
Checking Multiple Domains
For checking one domain, the SSL Decoder tool is fastest. For monitoring an entire portfolio automatically:
- Add domains to ElasticDomain.
- Every scan checks the SSL certificate.
- Set up SSL expiry alerts (30 days, 14 days, 7 days) to be notified before certificates expire.
The SSL monitoring cost is 1 credit per SSL check, included in every Full Domain Scan (250 credits) and Quick Scan (2 credits).
Checking Certificates You Have on File
If you have a certificate in PEM format (from your CA or certificate file), paste it into the SSL Decoder to inspect all fields without needing to deploy it to a server first. Useful for verifying a CSR was processed correctly before installation.
Automated SSL Monitoring vs One-Time Checks
One-time checks are useful for specific investigations. Automated monitoring is what prevents certificates from expiring unnoticed. Let's Encrypt has a 90-day certificate lifecycle with automatic renewal — but renewal can and does fail. Monitoring acts as the safety net.