SSL / TLS Certificate Checker

What This Tool Shows

Type in a domain and the checker returns the most recent valid certificate issued for that name. You will see the certificate authority that signed it, the day it was issued, and the day it expires. You also get the number of days remaining, the certificate’s total lifetime, and every Subject Alternative Name (SAN) it covers. The tool queries Certificate Transparency (CT) logs through crt.sh. That means it reflects every certificate ever issued for the domain by any publicly trusted authority. It is not limited to the one currently being served.

Why Certificate Transparency Matters

Every publicly trusted certificate authority must publish each certificate it issues to a public, append-only log. Browser root programs require it, and browsers reject certificates that are not logged. This system, called Certificate Transparency, exists so that domain owners can detect mis-issuance. One example is a CA accidentally signing a certificate for your domain on behalf of someone else. Searching CT logs is the fastest way to confirm what is currently issued for a name. It is also a reliable signal for whether a domain has any certificate coverage at all. Lookups are free and require no privileged access.

Reading the Results

• Status reflects how many days remain. Anything under 30 days deserves attention. Under 7 days is critical for production traffic.
• Issuer is the certificate authority. Common values are Let’s Encrypt, DigiCert, Sectigo, Google Trust Services, ZeroSSL, and GoDaddy. The issuer name often includes the country, organization, and common name of the signing intermediate.
• Subject Alternative Names list every domain the certificate is valid for. Modern Let’s Encrypt certificates often cover both the apex (example.com) and the www subdomain. Wildcard certificates show as *.example.com.
• Valid From / Valid Until and Lifetime are the certificate’s notBefore and notAfter timestamps, plus the span between them. The maximum lifetime is now capped at 200 days, in effect since March 2026. That cap drops to 100 days in 2027 and 47 days in 2029.
• Serial Number uniquely identifies the certificate within the issuing CA.

Certificate Lifetimes Are Shrinking

The CA/Browser Forum has set a schedule to cut maximum certificate lifetimes sharply. The goal is to push the whole web toward automated renewal. The cap fell to 200 days on March 15, 2026. It drops to 100 days on March 15, 2027, then to 47 days on March 15, 2029. Providers like Let’s Encrypt already issue 90-day certificates by default. If you still renew certificates by hand, now is the time to automate. The Lifetime row in the results shows how long the current certificate was issued for.

Limitations to Know About

This tool searches the public CT log database. It tells you what has been issued, not necessarily what the server is currently presenting. In almost every case those match. In edge cases a server may serve an older cert from cache, a self-signed cert, or a private CA cert. Self-signed and private CA certificates are never logged, so they will not appear here. For a true live handshake grade, run the domain through SSL Labs. It checks cipher suites, protocol support, and chain trust. If a brand-new certificate does not show up here, give the CT logs a few minutes to propagate.

Common Use Cases

Use this checker to monitor expiry on production hostnames. Confirm that a renewed cert went out before the old one lapsed. Audit which CAs have issued certs for your domain. Find unexpected SANs that might indicate a misconfiguration. Verify that a wildcard certificate is the one being served. It pairs well with our DNS Record Checker for confirming that the host you are inspecting points where you think. It also pairs with the SPF, DKIM, and DMARC Checker for the email side of the same domain.

Frequently Asked Questions

Related Tools & Resources

Explore more free networking tools. Run a DNS lookup or perform a WHOIS lookup. You can also check email authentication with our SPF, DKIM, and DMARC Checker.