SSL / TLS Certificate Checker

What This Tool Shows

Type in a domain and the checker returns the most recent valid certificate that has been issued for that name. You will see the certificate authority that signed it, the day it was issued, the day it expires, the number of days remaining, and every Subject Alternative Name (SAN) the certificate covers. The tool queries Certificate Transparency (CT) logs through crt.sh, which means it reflects every certificate ever issued for the domain by any publicly trusted authority — not just the one currently being served.

Why Certificate Transparency Matters

Every publicly trusted certificate authority is required by browser root programs to publish each certificate they issue to a public, append-only log. Browsers will reject certificates that are not logged. This system, called Certificate Transparency, exists so that domain owners can detect mis-issuance — for example, when a CA accidentally signs a cert for your domain on behalf of someone else. Searching CT logs is the fastest way to confirm what is currently issued for a name, and it is also a reliable signal for whether a domain has any certificate coverage at all. Lookups are free and require no privileged access.

Reading the Results

• Status reflects how many days remain. Anything under 30 days deserves attention; under 7 days is critical for production traffic.
• Issuer is the certificate authority. Common values are Let’s Encrypt, DigiCert, Sectigo, Google Trust Services, ZeroSSL, and GoDaddy. The issuer name often includes the country, organization, and common name of the signing intermediate.
• Subject Alternative Names list every domain the certificate is valid for. Modern Let’s Encrypt certificates often cover both the apex (example.com) and the www subdomain. Wildcard certificates show as *.example.com.
• Valid From / Valid Until are the certificate’s notBefore and notAfter timestamps. Most certs are now issued for 90 days or less.
• Serial Number uniquely identifies the certificate within the issuing CA.

Limitations to Know About

This tool searches the public CT log database. It tells you what has been issued, not necessarily what the server is currently presenting. In almost every case those match — but in edge cases a server may serve an older cert from cache, a self-signed cert (which is never logged), or an internally trusted private CA cert (also not logged). For a true live handshake check that grades cipher suites, protocol support, and chain trust, run the same domain through SSL Labs after using this tool. If a brand-new certificate does not show up here, give the CT logs a few minutes to propagate.

Common Use Cases

Use this checker to monitor expiry on production hostnames, confirm that a renewed cert went out before the old one lapsed, audit which CAs have issued certs for your domain, find unexpected SANs that might indicate a misconfiguration, and verify that a wildcard certificate is the one being served. It pairs well with our DNS Record Checker for confirming that the host you are inspecting actually points where you think, and with the SPF, DKIM, and DMARC Checker for the email side of the same domain.

Related Tools & Resources

Explore more free networking tools: run a DNS lookup, perform a WHOIS lookup, or check email authentication with our SPF, DKIM, and DMARC Checker.