SSH Workbench

SSL Certificate Checker

Check the SSL/TLS certificate of any public domain — issuer, expiry, SANs, TLS version, and chain.

What is an SSL checker?

An SSL checker connects to a domain over HTTPS, performs a TLS handshake, and inspects the certificate the server presents. It reports who issued the certificate, when it expires, which hostnames it covers, the TLS version negotiated, and the full chain back to a trusted root. Use it for quick SSL tests, expiry monitoring, debugging chain issues, or verifying a freshly installed certificate before pointing production traffic at it.

SSL expiry check

The most common reason teams hit this page is to answer one question: when does my SSL certificate expire? The result above shows the exact validity end date and the days remaining, color-coded:

  • Green — more than 30 days until expiry. You're safe.
  • Yellow — 15 to 30 days. Schedule the renewal now; most ACME clients refresh in this window.
  • Red — 14 days or less (or already expired). Renew immediately to avoid browser warnings.

With CA/Browser Forum changes shortening certificate lifetimes, manual expiry tracking gets harder every year. For unattended alerts, see SSH Workbench monitoring further down.

What this SSL test checks

FieldWhat it means
SubjectThe primary domain the certificate identifies (Common Name).
IssuerThe Certificate Authority that signed it — Let's Encrypt, DigiCert, Sectigo, etc.
SAN listEvery hostname the certificate is valid for. Missing entries cause hostname mismatch errors.
Validity periodStart and end dates. Browsers reject certificates outside this window.
TLS versionThe negotiated protocol — TLS 1.3 (preferred), 1.2 (still fine), 1.1/1.0 (deprecated).
ChainLeaf → intermediate(s) → root. A broken chain is the #1 cause of "not trusted" errors.
FingerprintSHA-256 hash of the certificate. Useful for pinning and verifying a cert hasn't silently changed.

Common SSL/TLS ports

PortService
443HTTPS (default — change the port field above for others)
465SMTPS (mail submission over TLS)
993IMAPS
995POP3S
8443Common alt HTTPS (Tomcat, control panels)

Frequently Asked Questions

What is an SSL certificate?
An SSL certificate (now technically a TLS certificate) is a digital document that binds a public key to a domain name and is signed by a Certificate Authority. When a browser connects to https://yoursite.com, the server presents this certificate; the browser verifies the signature chains back to a trusted root and that the domain in the certificate matches the URL bar. If both checks pass, the session is encrypted and the padlock appears.
How do I check if an SSL certificate is valid?
Paste the domain above and click Check SSL. A certificate is valid if: (1) today's date is between the Valid From and Valid To dates, (2) the domain you typed appears in the SAN list, (3) the issuer chains back to a trusted root CA, and (4) the certificate hasn't been revoked. This checker confirms (1), (2), and (3). For revocation status, OCSP stapling in your browser handles (4) at connection time.
How do I check SSL certificate expiry from the command line?
Use openssl: echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -dates. That returns the notBefore and notAfter dates. For a one-line days-remaining check on Linux: openssl s_client -connect example.com:443 -servername example.com 2>/dev/null </dev/null | openssl x509 -noout -enddate. This page does the same handshake server-side so you don't need a terminal.
What's the difference between SSL and TLS?
SSL (Secure Sockets Layer) is the original protocol from the 1990s; TLS (Transport Layer Security) is its successor. All versions of SSL — 2.0 and 3.0 — are deprecated and insecure. Modern HTTPS uses TLS 1.2 or TLS 1.3. The term &quot;SSL certificate&quot; stuck around for marketing reasons, but every certificate issued today is really a TLS certificate. The TLS Version field above shows what your server actually negotiated.
Why does my SSL certificate show as not trusted?
The most common causes are: (1) the certificate is self-signed and not in any browser's root store; (2) the intermediate certificate is missing from the chain — install the CA-provided bundle, not just the leaf; (3) the certificate has expired; (4) the hostname doesn't match any SAN entry; (5) the certificate uses a weak signature algorithm (SHA-1) or comes from a CA that browsers have distrusted. The chain section above shows whether all intermediates are present.

Monitor SSL expiry automatically

Manual SSL checks only help if you remember to run them. SSH Workbench monitoring tracks certificate expiry on every host you manage and alerts you before things go red.

See monitoring →

Related Tools

Certificate Decoder

Decode X.509 PEM certificates. View subject, issuer, validity, SANs, key usage, and SHA fingerprints.

chmod Calculator

Visual chmod calculator. Toggle owner/group/other permissions, see octal (755) and symbolic (rwxr-xr-x) live.

Key Generator

Generate RSA, Ed25519, and ECDSA SSH keys securely in your browser.

Port Checker

Test if SSH port 22 is open on any server. Diagnose firewall and connection issues.

Config Generator

Generate ~/.ssh/config entries visually. Build config files with host aliases, jump hosts, and identity files.

Need to manage SSH connections?

SSH Workbench lets you connect, browse files, and manage servers visually.

Try SSH Workbench Free