Does this check expired or invalid certificates too?

Yes. The tool inspects whatever certificate the server presents, including expired or misconfigured ones, and reports the expiry status.

What are SAN entries?

Subject Alternative Names are the list of hostnames a certificate is valid for. A single certificate frequently secures many domains and subdomains.

How early should I renew a certificate?

Renew before the days-left value reaches zero. Many teams renew at 30 days remaining; automated tools like Let's Encrypt renew at around 30 days by default.

Can I check internal or intranet hosts?

No. For safety the tool only connects to publicly resolvable hosts and blocks private or internal addresses.

Why does the issuer say Let's Encrypt?

Let's Encrypt is a free, automated Certificate Authority used by millions of sites. Seeing it simply means the site uses free automated certificates.

Free SSL / TLS Certificate Checker

What is an SSL certificate checker?

An SSL/TLS certificate is what enables the padlock and HTTPS in your browser. It proves a website's identity and encrypts traffic between the visitor and the server. An SSL checker connects to a hostname, reads the certificate the server presents, and reports the important details: who issued it, who it was issued to, when it is valid from and until, how many days remain before it expires, and which hostnames it covers.

This tool performs a live TLS handshake to the target host and inspects the real certificate currently in use — not a cached copy — so the results reflect exactly what visitors' browsers receive right now.

How to read the results

—Subject — the primary hostname the certificate was issued for.
—Issuer — the Certificate Authority that signed it (e.g. Let's Encrypt, DigiCert, Sectigo).
—Valid from / Valid to — the certificate's validity window.
—Days left — how long until expiry; a green badge means healthy, amber means renew soon, red means expired.
—SAN entries — the Subject Alternative Names, i.e. every hostname the certificate is valid for.

Why monitor SSL certificates?

Expired certificates are one of the most common and most visible website outages: browsers show a full-page security warning that scares away visitors and breaks APIs. Checking the days-remaining value lets you renew before that happens.

For reconnaissance, the SAN list is a goldmine. A single certificate often lists many hostnames — including internal or staging subdomains — which can expand your view of an organisation's attack surface. The issuer and validity dates also help verify that a site is using a trusted CA and a current certificate.