esc

SSL Certificate Checker

Check HTTPS certificate expiry, hostname match, trusted chain, TLS version, cipher suite, SAN entries, OCSP stapling, and issuer details for any host.

Examples github.com cloudflare.com badssl.com
Certificate Valid Trusted chain TLS 1.3
cloudflare.com
Issued by Google Trust Services · WE1 · ECDSA · P-256
Issued
2026-07-08
Expires
2026-10-06
Days left
87 days
87 days to expiry
IssuedJul 8 ExpiresOct 6
Subject
Common name cloudflare.com
Alt names 5 SAN entries
Organization — (DV certificate)
Serial 5B:B0:F0:AA:84:C8:FE:CE:0E:72:D8:05:BA:7A:5D:2B
Signature SHA-256 with ECDSA
Issuer
Issuer Google Trust Services
Issuing CA WE1
Issued 2026-07-08
Expires 2026-10-06
Until expiry 87 days left
Connection
Protocol TLS 1.3
Cipher TLS_AES_256_GCM_SHA384
Key ECDSA · P-256
Key exchange
OCSP stapling Off
Security checks
4 / 5 pass
Hostname matches certificate Pass
Chain of trust complete Pass
Not expired Pass
Strong signature (SHA-256 with ECDSA) Pass
OCSP stapling enabled Warn
Subject Alternative Names
5 hosts
cloudflare.com ns.cloudflare.com *.ns.cloudflare.com *.secondary.cloudflare.com secondary.cloudflare.com
Chain of trust
3 certificates
Leaf · end-entity cloudflare.com Issued by WE1 · valid 2026-07-08 → 2026-10-06
Intermediate WE1 Issued by GTS Root R4 · valid 2023-12-13 → 2029-02-20
Intermediate GTS Root R4 Issued by GlobalSign Root CA · valid 2023-11-15 → 2028-01-28
Certificate details (PEM)
-----BEGIN CERTIFICATE-----
MIID0TCCA3igAwIBAgIQW7DwqoTI/s4OctgFunpdKzAKBggqhkjOPQQDAjA7MQsw
CQYDVQQGEwJVUzEeMBwGA1UEChMVR29vZ2xlIFRydXN0IFNlcnZpY2VzMQwwCgYD
VQQDEwNXRTEwHhcNMjYwNzA4MjE0NzM5WhcNMjYxMDA2MjI0NzI3WjAZMRcwFQYD
VQQDEw5jbG91ZGZsYXJlLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABNDs
LiTwXD8kBejjJ84lHC2pA/dk9KmXCEvGw3h8Q+7k8VsHg+RTC59ZKvGB64Sxa/VY
QKmErVJnaVKGW/ZmtpyjggJ+MIICejAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAww
CgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUacXlKENrJNyJKrq/
tuW/cwIbht8wHwYDVR0jBBgwFoAUkHeSNWfE/6jMqeZ72YB5e8yT+TgwNQYIKwYB
BQUHAQEEKTAnMCUGCCsGAQUFBzAChhlodHRwOi8vaS5wa2kuZ29vZy93ZTEuY3J0
MHcGA1UdEQRwMG6CDmNsb3VkZmxhcmUuY29tghFucy5jbG91ZGZsYXJlLmNvbYIT
Ki5ucy5jbG91ZGZsYXJlLmNvbYIaKi5zZWNvbmRhcnkuY2xvdWRmbGFyZS5jb22C
GHNlY29uZGFyeS5jbG91ZGZsYXJlLmNvbTATBgNVHSAEDDAKMAgGBmeBDAECATA2
BgNVHR8ELzAtMCugKaAnhiVodHRwOi8vYy5wa2kuZ29vZy93ZTEvZ3hJQnY2QjJo
WXcuY3JsMIIBBgYKKwYBBAHWeQIEAgSB9wSB9ADyAHcA2AlVO5RPev/IFhlvlE+F
q7D4/F6HVSYPFdEucrtFSxQAAAGfQ+pcGAAABAMASDBGAiEAmWXvLSMhlxmi1S+K
4kRMCdLEX+wGBAbdVV32dnt5a6sCIQD6pKaA18jr06ffv31tpjCDisobc6KEE61J
wvVxvqwLegB3AJROQ4f67MHvgfMZJCaoGGUBx9NfOAIBP3JnfVU3LhnYAAABn0Pq
W+oAAAQDAEgwRgIhALnZFhafFrXB4xJaLIy3mygxmpU7RRsZ6OFFtczrFM75AiEA
+8DfUCZ9uOzHPcJ/wEeuBbTnezletxwXYeeR1puJ1PowCgYIKoZIzj0EAwIDRwAw
RAIgemJR8aLVJo+E0p0FEfr5tr1cqlieMgJz99Z4kQ2qV/0CIDkILcHmaYKjAb/E
1SRXgGzSIHgL8yrIPq70NQh9H4iP
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIICnzCCAiWgAwIBAgIQf/MZd5csIkp2FV0TttaF4zAKBggqhkjOPQQDAzBHMQsw
CQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEU
MBIGA1UEAxMLR1RTIFJvb3QgUjQwHhcNMjMxMjEzMDkwMDAwWhcNMjkwMjIwMTQw
MDAwWjA7MQswCQYDVQQGEwJVUzEeMBwGA1UEChMVR29vZ2xlIFRydXN0IFNlcnZp
Y2VzMQwwCgYDVQQDEwNXRTEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARvzTr+
Z1dHTCEDhUDCR127WEcPQMFcF4XGGTfn1XzthkubgdnXGhOlCgP4mMTG6J7/EFmP
LCaY9eYmJbsPAvpWo4H+MIH7MA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggr
BgEFBQcDAQYIKwYBBQUHAwIwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU
kHeSNWfE/6jMqeZ72YB5e8yT+TgwHwYDVR0jBBgwFoAUgEzW63T/STaj1dj8tT7F
avCUHYwwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzAChhhodHRwOi8vaS5wa2ku
Z29vZy9yNC5jcnQwKwYDVR0fBCQwIjAgoB6gHIYaaHR0cDovL2MucGtpLmdvb2cv
ci9yNC5jcmwwEwYDVR0gBAwwCjAIBgZngQwBAgEwCgYIKoZIzj0EAwMDaAAwZQIx
AOcCq1HW90OVznX+0RGU1cxAQXomvtgM8zItPZCuFQ8jSBJSjz5keROv9aYsAm5V
sQIwJonMaAFi54mrfhfoFNZEfuNMSQ6/bIBiNLiyoX46FohQvKeIoJ99cx7sUkFN
7uJW
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDejCCAmKgAwIBAgIQf+UwvzMTQ77dghYQST2KGzANBgkqhkiG9w0BAQsFADBX
MQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEQMA4GA1UE
CxMHUm9vdCBDQTEbMBkGA1UEAxMSR2xvYmFsU2lnbiBSb290IENBMB4XDTIzMTEx
NTAzNDMyMVoXDTI4MDEyODAwMDA0MlowRzELMAkGA1UEBhMCVVMxIjAgBgNVBAoT
GUdvb2dsZSBUcnVzdCBTZXJ2aWNlcyBMTEMxFDASBgNVBAMTC0dUUyBSb290IFI0
MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE83Rzp2iLYK5DuDXFgTB7S0md+8Fhzube
Rr1r1WEYNa5A3XP3iZEwWus87oV8okB2O6nGuEfYKueSkWpz6bFyOZ8pn6KY019e
WIZlD6GEZQbR3IvJx3PIjGov5cSr0R2Ko4H/MIH8MA4GA1UdDwEB/wQEAwIBhjAd
BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAd
BgNVHQ4EFgQUgEzW63T/STaj1dj8tT7FavCUHYwwHwYDVR0jBBgwFoAUYHtmGkUN
l8qJUC99BM00qP/8/UswNgYIKwYBBQUHAQEEKjAoMCYGCCsGAQUFBzAChhpodHRw
Oi8vaS5wa2kuZ29vZy9nc3IxLmNydDAtBgNVHR8EJjAkMCKgIKAehhxodHRwOi8v
Yy5wa2kuZ29vZy9yL2dzcjEuY3JsMBMGA1UdIAQMMAowCAYGZ4EMAQIBMA0GCSqG
SIb3DQEBCwUAA4IBAQAYQrsPBtYDh5bjP2OBDwmkoWhIDDkic574y04tfzHpn+cJ
odI2D4SseesQ6bDrarZ7C30ddLibZatoKiws3UL9xnELz4ct92vID24FfVbiI1hY
+SW6FoVHkNeWIP0GCbaM4C6uVdF5dTUsMVs/ZbzNnIdCp5Gxmx5ejvEau8otR/Cs
kGN+hr/W5GvT1tMBjgWKZ1i4//emhA1JG1BbPzoLJQvyEotc03lXjTaCzv8mEbep
8RqZ7a2CPsgRbuvTPBwcOMBBmuFeU88+FSBX6+7iP0il8b4Z0QFqIwwMHfs/L6K1
vepuoxtGzi4CZ68zJpiq1UvSqTbFJjtbD4seiMHl
-----END CERTIFICATE-----
Guide

How to read an SSL certificate check

An SSL/TLS certificate proves that the HTTPS server is presenting a certificate for the hostname you entered and lets browsers encrypt the connection. This SSL certificate checker confirms whether the certificate matches the hostname, it is currently valid (issued in the past and not expired), and it chains to a trusted root in the system trust store.

The chain of trust walks from the leaf certificate for the domain, through one or more intermediate CA certificates, up to a self-signed root . A browser only trusts a site if every link in that certificate chain validates. Short-lived certificates, including many Let's Encrypt certificates, are normal. What matters is that ACME renewal happens before the SSL expiration date.

The connection details also show the negotiated TLS version, cipher suite , key exchange, signature algorithm, Subject Alternative Names, and whether the server stapled an OCSP response during the TLS handshake.

Use cases

Common SSL troubleshooting checks

Use this HTTPS certificate checker after changing DNS, moving a site behind a CDN, renewing a certificate, or debugging browser warnings. The most common issues are expired certificates, hostname mismatch errors, missing intermediate certificates, self-signed certificates, and services that do not answer TLS on port 443.

If a hostname mismatch appears, compare the host you entered with the certificate common name and SAN entries. If the certificate chain checker warns, reinstall the full chain from your certificate authority. If the certificate expiry checker shows a short renewal window, verify that your ACME client or hosting provider will renew before the date shown above.

FAQ

Frequently asked questions

What does this SSL certificate checker test?

This SSL certificate checker opens a TLS connection to the host on port 443, reads the certificate, checks the hostname match, validity dates, trusted chain, signature strength, TLS protocol, cipher suite, key exchange, SAN entries, and OCSP stapling.

How do I check SSL certificate expiration?

Enter the HTTPS hostname and review the Expires and Days left fields. The certificate expiry checker highlights short renewal windows so you can renew before browsers start showing certificate errors.

What causes a hostname mismatch?

A hostname mismatch happens when the certificate common name or Subject Alternative Names do not cover the host you entered. It often appears after pointing DNS to a new service without issuing a matching certificate.

Why does the certificate chain matter?

Browsers trust a certificate only when the leaf certificate chains through the required intermediate certificates to a trusted root CA. A missing intermediate certificate can break HTTPS even when the leaf certificate is not expired.

Can I inspect the TLS version and cipher suite?

Yes. The connection section reports the negotiated TLS version, cipher suite, key type, key exchange, and whether the server stapled an OCSP response during the handshake.

Does this tool validate DNS or HTTP security headers?

No. This page focuses on the TLS certificate and HTTPS handshake. Use DNS lookup to check records and a dedicated security headers checker when that tool is available.