Skip to content
Free tool · no signup

SSL checker

Live TLS handshake plus full certificate details. Issuer, expiry date, days remaining, hostname match, signature algorithm. One query, all the answers.

Live TLS handshake from an UptimePad monitoring probe · full peer cert · chain validation

What this tool actually tells you

A one-shot SSL check tells you whether the certificate is valid right now and how many days are left before expiry. Useful for confirming a renewal landed or diagnosing a sudden TLS warning. To know your cert will not silently expire on a Sunday, you need continuous monitoring with multi-step expiry alerts at 30, 14, 7, and 1 day. UptimePad runs both: this tool (free, anonymous) and continuous SSL monitoring (free for 50 monitors).

QuestionOne-shot checkContinuous monitoring
Is the cert valid right now?YesYes
Will it expire next month?Yes (days remaining)Yes - alerts at 30/14/7/1 day
Did the issuer just change unexpectedly?NoYes - issuer-change alert
Did the cert get reissued at 3am Sunday?NoYes (with timestamp)
Does the cert cover all my subdomains?Yes (SAN list shown)Yes - per-subdomain monitor
Did a deploy break the chain?NoYes - chain-validation diff

The 3 ways SSL silently breaks production

  • Auto-renewal that did not auto-renew. Let's Encrypt certs are 90 days. The renewal cron breaks (disk full, DNS-01 timeout, certbot upgrade changed flags) and you do not notice until the cert expires on a Sunday and your visitors see NET::ERR_CERT_DATE_INVALID.
  • Origin cert vs CDN cert mismatch. Your CDN edge cert is fine, but the origin cert (between CDN and your server) silently expired. The CDN starts returning 525/526 errors and only some of your visitors are affected.
  • Subdomain added without re-issuing. Marketing creates blog.example.com, points it at the same server, but the cert covers only example.com. Browsers warn on the new subdomain. Discovered when sales asks why the prospects are bouncing.

When the tool says "valid" but visitors still get a warning

Two common cases. (1) The cert is valid for the apex but the visitor is on a subdomain not in the SAN list. Re-check using the exact hostname from the warning. (2) An old browser does not trust the issuer (most often a corporate machine that lost its CA bundle update). Run the check from the same network as the visitor, or look at the chain from the SAN list and verify each intermediate is still trusted in major browsers.

What to do next when the verdict is "expiring soon"

  1. Renew immediately. With Caddy or Let's Encrypt + certbot, run the renew command and watch the log.
  2. Verify the new cert was actually deployed by re-running this checker, not by trusting the renewal command.
  3. Confirm the chain matches on every fronting service: CDN, load balancer, origin server.
  4. Check CAA records - if you switched issuers, the old CAA may now block the new CA from issuing.
  5. Set up continuous SSL monitoring on every cert you serve. Free plan covers 50 hostnames; alerts at 30/14/7/1 day before expiry.

FAQ

Is this SSL checker free?+

Yes. Anyone can check the SSL certificate of any public domain. No signup, no email, no rate-limit hassle for normal use. UptimePad runs the check; the same probe code is what watches certs for our paying customers.

How does it work?+

When you submit a domain, an UptimePad probe server opens a real TLS connection to it on port 443 (or whatever port you specify), completes the handshake, and reads the peer certificate directly using Node's native TLS. We get the full chain, issuer, validity dates, SANs, signature algorithm, TLS protocol, and cipher in one round-trip. Same code path as continuous monitoring. Total wall time under 10 seconds.

What does each verdict mean?+

"Certificate is valid" means the TLS handshake completed and the chain validated against trusted CAs. "Expiring within 14 days" is your renewal warning - fix it now. "Certificate expired" means visitors already see a browser security warning. "Hostname does not match" means the cert is real but does not cover the hostname you typed. "Cert is not trusted" means the chain does not validate against a trusted CA root. "Self-signed certificate" means exactly that. "TLS handshake failed" means the protocol is unsupported or the chain is malformed. "Could not reach" means the server is offline or DNS is wrong.

Why does the tool show different days-remaining than I see in my browser?+

Three usual reasons: (1) the cert was just renewed and our connection landed on a server that still has the old cert in memory - re-run in a minute; (2) your origin and your CDN are serving different certs (common when CDN-fronted sites have a separate origin cert), and our probe hit the origin while your browser sees the CDN; (3) the cert chain you are looking at in the browser is a different cert than what is presented over HTTPS to non-browser clients. Continuous monitoring catches all three patterns.

Why does the tool also report TLS protocol and cipher?+

Both signal larger configuration problems. If you are still negotiating TLS 1.0 or 1.1, modern browsers will warn or refuse. Weak ciphers (RC4, 3DES, anything export-grade) are flagged by every reasonable security scan. The tool surfaces what was negotiated so you can audit your origin without running a separate handshake-debugger. Continuous monitoring lets you alert when protocol or cipher changes unexpectedly after a deploy.

Can I monitor SSL expiry continuously instead of one-shot?+

Yes, and you should. A one-shot check is great for confirming a renewal landed. A continuous monitor is what catches the renewal that did not. UptimePad alerts at 30, 14, 7, and 1 day before expiry. Free plan covers 50 monitors with email alerts.

What is a hostname mismatch and how do I fix it?+

A cert is bound to a specific common name (or list of subject alt names). If you point a new subdomain at a server whose cert does not list it, browsers throw NET::ERR_CERT_COMMON_NAME_INVALID. Fix: add the new hostname to your cert and re-issue. With Let's Encrypt this is automatic via certbot or Caddy; with paid CAs you re-CSR.

Does the tool check the full chain or just the leaf?+

It checks the full chain. The TLS handshake itself fails if any intermediate is missing or untrusted, so a "valid" verdict means the chain is good. The cert details panel shows the leaf cert because that is what defines the validity dates and the hostname coverage; intermediates rotate independently and are usually fine.

uptimePAD

Never get paged about an expired cert again.

Multi-step expiry alerts, issuer-change detection, chain validation, every cert you serve. Free plan, no card required.

Start monitoring free