esc

SSL Certificate Checker

Check HTTPS certificate expiry, hostname match, trusted chain, TLS version, cipher suite, SAN entries, OCSP stapling, and issuer details for any host.

Examples github.com cloudflare.com badssl.com
Certificate Valid Trusted chain TLS 1.2
badssl.com
Issued by Let's Encrypt · R13 · RSA · 2048-bit
Issued
2026-05-26
Expires
2026-08-24
Days left
44 days
44 days to expiry
IssuedMay 26 ExpiresAug 24
Subject
Common name *.badssl.com
Alt names 2 SAN entries
Organization — (DV certificate)
Serial 05:33:DC:28:B3:18:A1:E1:11:89:8D:F9:30:9A:FB:ED:36:33
Signature SHA-256 with RSA
Issuer
Issuer Let's Encrypt
Issuing CA R13
Issued 2026-05-26
Expires 2026-08-24
Until expiry 44 days left
Connection
Protocol TLS 1.2
Cipher TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Key RSA · 2048-bit
Key exchange prime256v1 (ECDHE)
OCSP stapling Off
Security checks
4 / 5 pass
Hostname matches certificate Pass
Chain of trust complete Pass
Not expired Pass
Strong signature (SHA-256 with RSA) Pass
OCSP stapling enabled Warn
Subject Alternative Names
2 hosts
*.badssl.com badssl.com
Chain of trust
3 certificates
Leaf · end-entity *.badssl.com Issued by R13 · valid 2026-05-26 → 2026-08-24
Intermediate R13 Issued by ISRG Root X1 · valid 2024-03-13 → 2027-03-12
Root · trust anchor ISRG Root X1 Self-signed · valid 2015-06-04 → 2035-06-04
Certificate details (PEM)
-----BEGIN CERTIFICATE-----
MIIE/jCCA+agAwIBAgISBTPcKLMYoeERiY35MJr77TYzMA0GCSqGSIb3DQEBCwUA
MDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQwwCgYDVQQD
EwNSMTMwHhcNMjYwNTI2MjAwMjUwWhcNMjYwODI0MjAwMjQ5WjAXMRUwEwYDVQQD
DAwqLmJhZHNzbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC0
6KANZcLJSK/zv5hCw7U+8Q9+cPdhyiP5XSOZrctjsIu3s2M9abZ9zY3dhi9H9KXt
+be2V93qjxAAGWkAbfGXT+6S/xRCuwtTmWOD/4PsX2Near6jBz0g6c3ttItPGHy2
l2FUy0Hl5epWK836wSw58p9jeskm8zCuek/LJ/nXGhfnXMvW6rvxMjW72AEofZpA
rGzlCjb2b2EY5B6zL1CxB77Yu8pzP4gEbBH4Sp7iT6rVr2ZVipVEdwh0o2cg61MF
/ofMDKjZ7wHx+l/vU6lJlzXYY98LtS4+hw5kBsoulqRGyeIJks7M1+mrdl0xSwtg
xPiR1T/weGyuwJ0YE9G3AgMBAAGjggImMIICIjAOBgNVHQ8BAf8EBAMCBaAwEwYD
VR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUZfXhFxQb
7MDrEQ6ois5LEsv4t2swHwYDVR0jBBgwFoAU56ufDywzoFPTXk94yLKEDjvWkjMw
MwYIKwYBBQUHAQEEJzAlMCMGCCsGAQUFBzAChhdodHRwOi8vcjEzLmkubGVuY3Iu
b3JnLzAjBgNVHREEHDAaggwqLmJhZHNzbC5jb22CCmJhZHNzbC5jb20wEwYDVR0g
BAwwCjAIBgZngQwBAgEwLgYDVR0fBCcwJTAjoCGgH4YdaHR0cDovL3IxMy5jLmxl
bmNyLm9yZy81Mi5jcmwwggEMBgorBgEEAdZ5AgQCBIH9BIH6APgAdgDYCVU7lE96
/8gWGW+UT4WrsPj8XodVJg8V0S5yu0VLFAAAAZ5mF468AAAEAwBHMEUCID7FfrBs
57qfYRHjk9PXh4H8gI+2878ExKWwXR2+pj7iAiEArHIWJ6KuWeub9BkKEcI64K87
DwKPjgby0zhTZjsOEa0AfgAai51rD/6/gbR5OcbSMQqG1tEC1PBG4hgsneNfXiYl
7wAAAZ5mF4+8AAgAAAUAFztGcAQDAEcwRQIgJqlkzRV9qZZ8pRgtKIr4XHOMZsQt
QKthekK0LnFvSN0CIQDW3BRjOXRcjWLvhVRuhMknknygj5ok2kab4Hfrq6EHvzAN
BgkqhkiG9w0BAQsFAAOCAQEANIsCNUpmK3HyXz6TcaXx/G1H0n8so0JXm2ZaWSa9
RJMK/H4NsAcsftAMYF2SqaK3X7nayHT7wpL1/O9D+YMHLzUoLawlZe2dqvKWsm6S
vdV6cMTGmtQkz2EQjRy1u1trzt06YnUL83P4ATUYKh0VI6xT4WIhap0ZtJTaTNCi
AV2mF2UlDkSVNwemNDIhPjxPOpsCfe1vybwHLfE800WdlL0eMA6jMdrG26BcsvZy
TwvrjAg21ixi8rcgwj4d7/fVA3yE7/5S3c98ZNBimfeyEb1PMApMAYbOCQEICgyK
ftka8gzQRX3Hn906O3dXZkaDdo067k82BnIos22TmiTg7w==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFBTCCAu2gAwIBAgIQWgDyEtjUtIDzkkFX6imDBTANBgkqhkiG9w0BAQsFADBP
MQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFy
Y2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBYMTAeFw0yNDAzMTMwMDAwMDBa
Fw0yNzAzMTIyMzU5NTlaMDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBF
bmNyeXB0MQwwCgYDVQQDEwNSMTMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQClZ3CN0FaBZBUXYc25BtStGZCMJlA3mBZjklTb2cyEBZPs0+wIG6BgUUNI
fSvHSJaetC3ancgnO1ehn6vw1g7UDjDKb5ux0daknTI+WE41b0VYaHEX/D7YXYKg
L7JRbLAaXbhZzjVlyIuhrxA3/+OcXcJJFzT/jCuLjfC8cSyTDB0FxLrHzarJXnzR
yQH3nAP2/Apd9Np75tt2QnDr9E0i2gB3b9bJXxf92nUupVcM9upctuBzpWjPoXTi
dYJ+EJ/B9aLrAek4sQpEzNPCifVJNYIKNLMc6YjCR06CDgo28EdPivEpBHXazeGa
XP9enZiVuppD0EqiFwUBBDDTMrOPAgMBAAGjgfgwgfUwDgYDVR0PAQH/BAQDAgGG
MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATASBgNVHRMBAf8ECDAGAQH/
AgEAMB0GA1UdDgQWBBTnq58PLDOgU9NeT3jIsoQOO9aSMzAfBgNVHSMEGDAWgBR5
tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAKG
Fmh0dHA6Ly94MS5pLmxlbmNyLm9yZy8wEwYDVR0gBAwwCjAIBgZngQwBAgEwJwYD
VR0fBCAwHjAcoBqgGIYWaHR0cDovL3gxLmMubGVuY3Iub3JnLzANBgkqhkiG9w0B
AQsFAAOCAgEAUTdYUqEimzW7TbrOypLqCfL7VOwYf/Q79OH5cHLCZeggfQhDconl
k7Kgh8b0vi+/XuWu7CN8n/UPeg1vo3G+taXirrytthQinAHGwc/UdbOygJa9zuBc
VyqoH3CXTXDInT+8a+c3aEVMJ2St+pSn4ed+WkDp8ijsijvEyFwE47hulW0Ltzjg
9fOV5Pmrg/zxWbRuL+k0DBDHEJennCsAen7c35Pmx7jpmJ/HtgRhcnz0yjSBvyIw
6L1QIupkCv2SBODT/xDD3gfQQyKv6roV4G2EhfEyAsWpmojxjCUCGiyg97FvDtm/
NK2LSc9lybKxB73I2+P2G3CaWpvvpAiHCVu30jW8GCxKdfhsXtnIy2imskQqVZ2m
0Pmxobb28Tucr7xBK7CtwvPrb79os7u2XP3O5f9b/H66GNyRrglRXlrYjI1oGYL/
f4I1n/Sgusda6WvA6C190kxjU15Y12mHU4+BxyR9cx2hhGS9fAjMZKJss28qxvz6
Axu4CaDmRNZpK/pQrXF17yXCXkmEWgvSOEZy6Z9pcbLIVEGckV/iVeq0AOo2pkg9
p4QRIy0tK2diRENLSF2KysFwbY6B26BFeFs3v1sYVRhFW9nLkOrQVporCS0KyZmf
wVD89qSTlnctLcZnIavjKsKUu1nA1iU0yYMdYepKR7lWbnwhdx3ewok=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
-----END CERTIFICATE-----
Guide

How to read an SSL certificate check

An SSL/TLS certificate proves that the HTTPS server is presenting a certificate for the hostname you entered and lets browsers encrypt the connection. This SSL certificate checker confirms whether the certificate matches the hostname, it is currently valid (issued in the past and not expired), and it chains to a trusted root in the system trust store.

The chain of trust walks from the leaf certificate for the domain, through one or more intermediate CA certificates, up to a self-signed root . A browser only trusts a site if every link in that certificate chain validates. Short-lived certificates, including many Let's Encrypt certificates, are normal. What matters is that ACME renewal happens before the SSL expiration date.

The connection details also show the negotiated TLS version, cipher suite , key exchange, signature algorithm, Subject Alternative Names, and whether the server stapled an OCSP response during the TLS handshake.

Use cases

Common SSL troubleshooting checks

Use this HTTPS certificate checker after changing DNS, moving a site behind a CDN, renewing a certificate, or debugging browser warnings. The most common issues are expired certificates, hostname mismatch errors, missing intermediate certificates, self-signed certificates, and services that do not answer TLS on port 443.

If a hostname mismatch appears, compare the host you entered with the certificate common name and SAN entries. If the certificate chain checker warns, reinstall the full chain from your certificate authority. If the certificate expiry checker shows a short renewal window, verify that your ACME client or hosting provider will renew before the date shown above.

FAQ

Frequently asked questions

What does this SSL certificate checker test?

This SSL certificate checker opens a TLS connection to the host on port 443, reads the certificate, checks the hostname match, validity dates, trusted chain, signature strength, TLS protocol, cipher suite, key exchange, SAN entries, and OCSP stapling.

How do I check SSL certificate expiration?

Enter the HTTPS hostname and review the Expires and Days left fields. The certificate expiry checker highlights short renewal windows so you can renew before browsers start showing certificate errors.

What causes a hostname mismatch?

A hostname mismatch happens when the certificate common name or Subject Alternative Names do not cover the host you entered. It often appears after pointing DNS to a new service without issuing a matching certificate.

Why does the certificate chain matter?

Browsers trust a certificate only when the leaf certificate chains through the required intermediate certificates to a trusted root CA. A missing intermediate certificate can break HTTPS even when the leaf certificate is not expired.

Can I inspect the TLS version and cipher suite?

Yes. The connection section reports the negotiated TLS version, cipher suite, key type, key exchange, and whether the server stapled an OCSP response during the handshake.

Does this tool validate DNS or HTTP security headers?

No. This page focuses on the TLS certificate and HTTPS handshake. Use DNS lookup to check records and a dedicated security headers checker when that tool is available.