Free SSL / TLS certificate checker and validator. Inspect the certificate chain, issuer, subject, expiry, Subject Alternative Names (SAN), protocol (TLS 1.2 / 1.3), and cipher for any HTTPS host. Use it to verify certificate installation, check days-to-expiry, debug chain issues, and confirm protocol/cipher support. Also a great companion to our SSL/TLS certificate expiry monitor.
This tool opens a real TLS connection to an HTTPS host from a London probe and reads back the certificate the server presents. It shows the subject, the issuer, the validity window with days remaining, the Subject Alternative Names (SAN) the certificate covers, and the negotiated protocol and cipher (for example TLS 1.3). Because it inspects the live handshake rather than a cached record, you see exactly what a browser or client would receive right now.
A certificate on its own is not enough: the server must also send the intermediate certificates that link it to a trusted root. A frequent cause of "works in my browser but fails elsewhere" is a missing intermediate, where the browser happened to have it cached but a stricter client did not. This tool walks the chain so you can confirm it is complete and correctly ordered.
The other classic failure is the name mismatch: the hostname you visit must appear in the certificate's SAN list, since the legacy Common Name field is no longer trusted on its own. And because certificates now have short lifetimes, tracking days-to-expiry matters. For hands-off coverage, pair this with our SSL/TLS certificate expiry monitor so a renewal never slips past its deadline.
Enter the hostname above and the tool reads the certificate's validity window directly from the live TLS handshake, showing the exact expiry date and how many days remain.
Usually the server is not sending the full chain of intermediate certificates. One browser had the intermediate cached while a stricter client did not, so it could not build a path to a trusted root. Installing the complete chain fixes it.
The Subject Alternative Name list holds every hostname a certificate is valid for. Modern clients only trust names in the SAN list, so if the hostname you visit is not listed, the connection is rejected as a name mismatch.
TLS 1.2 and TLS 1.3 are the current secure versions. Older protocols like TLS 1.0 and 1.1 are deprecated and should be disabled. This checker shows which version and cipher the server negotiated.