RevealTheme logo

SSL Certificate Checker

Look up the live TLS certificate a public domain presents on port 443 and see its issuer, subject, validity window, days until expiry, and listed hostnames.

How to use this tool

  1. 1

    Type a domain or URL into the input box, for example example.com or https://example.com.

  2. 2

    Click Analyze to open a TLS connection to that host on port 443 and fetch its certificate.

  3. 3

    Read the subject and issuer panels, then check the Valid from, Valid to, and Days remaining boxes.

  4. 4

    Scan the SAN line to confirm the certificate actually covers the hostname you queried.

How does checking an SSL certificate over port 443 work?

When a browser connects to an HTTPS site, the server completes a TLS handshake and presents an X.509 certificate that binds its public key to one or more hostnames, signed by a Certificate Authority. This tool reproduces the start of that handshake: it opens a TLS connection to the domain you enter on port 443, sends the hostname as the SNI (Server Name Indication) value so virtual-hosted servers return the right certificate, and reads the leaf certificate the server offers. From that certificate it extracts the subject (who the cert is issued to), the issuer (the signing CA), the not-before and not-after dates, and the subjectAltName (SAN) list of covered hostnames. Days remaining is computed by subtracting the current server time from the not-after date and flooring to whole days. Certificates are time-bound by design: Let's Encrypt issues 90-day certs meant for automated renewal, while many commercial CAs cap validity around 398 days. An expired or hostname-mismatched certificate makes browsers block the page with a full-screen warning, so watching the expiry date is the practical point of a check like this.

Common use cases

  • Confirm a newly issued or renewed certificate is actually live on the server before announcing a launch.

  • Catch a certificate that is within 30 days of expiry (the tool flags it in red) so you can renew before users hit warnings.

  • Verify the SAN list includes every subdomain you serve, such as www and api, after editing a multi-domain cert.

  • Check which Certificate Authority signed a third-party or vendor endpoint you depend on.

  • Spot-check that an automated renewal job (for example Let's Encrypt via certbot) actually swapped in the new certificate.

  • Read the exact valid-from and valid-to timestamps when debugging a clock-skew or not-yet-valid certificate error.

Frequently asked questions

Does this tool run in my browser or on the server?
On the server. The domain you enter is sent to our API, which opens the TLS connection to port 443 and returns the certificate details. It is not a client-side, in-browser check, so the hostname you look up does leave your machine.
Which hosts can I check?
Public, internet-reachable hostnames that serve TLS on port 443. Private, internal, or invalid hosts are rejected before any connection is made, and the tool only ever connects on port 443 — it cannot check services on other ports.
What does Days remaining mean and when does it turn red?
It is the floored number of whole days between now and the certificate's not-after date, based on server time. The box turns red once fewer than 30 days remain, signalling you should renew soon.
What is the SAN field?
The subjectAltName list — every hostname the certificate is valid for. Modern browsers validate against the SAN, not the legacy subject Common Name, so if the domain you queried is not in the SAN the certificate will be treated as a mismatch.
Why might a lookup fail or time out?
The connection has an 8-second timeout. Failures usually mean the host is unreachable, is not serving TLS on port 443, presented an invalid hostname, or was blocked as a private address. The error message from the connection is shown directly.
Does it validate the full certificate chain or revocation?
No. It reads and reports the leaf certificate the server presents but does not verify the trust chain to a root CA, check OCSP/CRL revocation, or test cipher suites. For a full audit use a dedicated service such as the SSL Labs server test.

Related tools