Skip to content
Free tool ยท No account needed

SSL Certificate Checker

See when any site's certificate expires, who issued it, and which TLS version it speaks.

We connect to port 443 and read the live certificate. Nothing is cached, nothing is stored.

Understand your certificate

What does an SSL certificate actually do?

An SSL/TLS certificate does two jobs. First, it proves your website is really yours: a trusted certificate authority (like Let's Encrypt, DigiCert, or Sectigo) has verified you control the domain. Second, it enables encryption, so passwords, card numbers, and personal details travel between the browser and your server as unreadable ciphertext instead of plain text. That's what the padlock in the address bar means, and why every login page, checkout, and contact form should sit behind HTTPS.

Certificates deliberately expire. Modern certificates last a maximum of 398 days, and Let's Encrypt certificates last just 90, so a stolen or forgotten certificate can't be abused forever. The trade-off: renewal is now a routine task, and forgetting it takes your site down as effectively as a server crash.

Expiry, renewals, and why renewed certificates still fail

What happens when a certificate expires?

Browsers show a full-page warning ("Your connection is not private") and most visitors immediately leave. Search rankings suffer, API integrations start failing with TLS errors, and mobile apps that pin your certificate stop working. Payment providers may suspend webhooks. It's one of the most avoidable outages there is.

Why do renewed certificates still fail?

The most common cause: the certificate was renewed but the web server never reloaded, so it keeps serving the old one from memory. Other culprits are an incomplete certificate chain (missing intermediate), a certificate that doesn't cover the www subdomain, or a load balancer with its own stale copy. Always re-check from outside after renewing; this tool reads what the world actually sees.

When should I renew?

Renew at 30 days out, not the night before. That leaves time for DNS validation hiccups, rate limits, and the "renewed but not reloaded" problem to be caught. If you use automated renewal (certbot, Caddy, your host's built-in SSL), automation can silently break, which is exactly why monitoring the live certificate matters more, not less.

SSL checker FAQ

Is this SSL checker really free?

Yes. Checking any certificate is free and needs no account. A free WebWatch account adds continuous monitoring with expiry alerts at 30, 7, and 1 days for up to 10 sites.

What's the difference between SSL and TLS?

TLS is the modern protocol; SSL is its retired predecessor from the 1990s. Everyone still says "SSL certificate", but what your server actually speaks today is TLS 1.2 or TLS 1.3. This tool shows you which.

Which domains does one certificate cover?

Every certificate lists its covered hostnames (Subject Alternative Names). A certificate for example.com does not automatically cover www.example.com unless it's listed or the certificate is a wildcard (*.example.com). The "domains covered" count above comes straight from that list.

Do you store anything I check?

No. One-off checks read the certificate over a live connection, show you the result, and keep nothing.