Free SSL Certificate Checker
Check any website’s SSL/TLS certificate in seconds. This tool connects to the domain on port 443, retrieves the certificate, and analyzes its validity, expiration date, issuer, key strength, signature algorithm, and hostname match – then assigns an overall grade from A+ to F.
Certificate Details
How to Use This Tool
- Enter a domain name – for example,
example.com. You can paste a full URL and the tool will strip the protocol, path, and port automatically. - Click “Check SSL” to initiate a connection to the domain’s HTTPS endpoint. The tool retrieves the certificate and parses its details using OpenSSL.
- Review the grade and details. The tool assigns a letter grade (A+ through F) based on multiple factors and displays a breakdown of each certificate property.
Understanding Your Results
The SSL grade reflects the overall health of the certificate. Here’s how each factor contributes:
| Factor | What’s Checked | Impact on Grade |
|---|---|---|
| Expiration | Whether the certificate is currently valid and how many days remain before expiry. | Expired = automatic F. Under 7 days = significant penalty. Under 30 days = minor penalty. |
| Hostname Match | Whether the domain you checked matches the certificate’s Common Name (CN) or Subject Alternative Names (SAN). Wildcard certificates (e.g., *.example.com) are evaluated correctly. |
Mismatch = major penalty. Browsers show security warnings for mismatched certificates. |
| Self-Signed | Whether the certificate was signed by a trusted Certificate Authority (CA) or by the domain owner themselves. | Self-signed = large penalty. These certificates trigger browser warnings because no third party has verified the identity. |
| Key Strength | The size of the public key in bits. RSA 2048-bit is the current minimum standard. | Below 2,048 bits = penalty. Weak keys are theoretically vulnerable to factoring attacks. |
| Signature Algorithm | The hashing algorithm used to sign the certificate (SHA-256, SHA-384, etc.). | SHA-1 = significant penalty. SHA-1 has been considered insecure since 2017 and major browsers have deprecated it. |
Grade scale:
- A+ – Healthy certificate with strong key (2,048+ bits), modern signature (SHA-256+), trusted CA, correct hostname match, and more than 60 days until expiration.
- A – Solid configuration with no significant issues.
- B – Acceptable but with minor concerns (e.g., expiring within 30 days).
- C/D – Notable problems that should be addressed (weak key, nearing expiration).
- F – Expired certificate. The site is showing browser security warnings to every visitor.
The results also show the certificate issuer (the Certificate Authority that signed it, such as Let’s Encrypt, DigiCert, or Sectigo), the certificate chain (the sequence of certificates from the leaf up to the root CA), and the exact valid-from and valid-to dates.
Why This Matters
An SSL/TLS certificate does two things: it encrypts the connection between a visitor’s browser and the web server, and it verifies that the server is who it claims to be. When a certificate is expired, misconfigured, or using weak cryptography, both of those protections break down.
Browsers display prominent security warnings for certificate problems. Chrome shows a full-page “Your connection is not private” interstitial. Firefox blocks the connection entirely. These warnings destroy user trust and drive visitors away – Google research found that most users leave a site immediately when they see a certificate warning.
Common scenarios where this tool helps:
- Monitoring your own sites. Let’s Encrypt certificates expire every 90 days. If auto-renewal fails silently, your site goes down with a certificate error. Regular checks catch the problem before visitors do.
- Verifying after migration. After moving to a new server or CDN, confirm the SSL certificate covers the correct hostnames – including
wwwand any subdomains. - Evaluating third-party sites. Before entering credentials on an unfamiliar site, check whether the certificate is valid and issued by a reputable CA.
Frequently Asked Questions
What does “hostname mismatch” mean?
A hostname mismatch means the domain you checked isn’t listed in the certificate’s Subject Alternative Names (SAN) or Common Name (CN). This happens when a certificate was issued for example.com but you’re accessing www.example.com (or vice versa), when a CDN or load balancer is serving a certificate for a different domain, or when the certificate hasn’t been reissued after a domain name change. Browsers will show a security warning for hostname mismatches.
Is Let’s Encrypt as secure as a paid certificate?
From an encryption standpoint, yes. Let’s Encrypt issues Domain Validation (DV) certificates that use the same cryptographic standards (RSA 2048-bit or ECDSA, SHA-256 signatures) as certificates from paid providers like DigiCert or Sectigo. The difference is in validation level: paid providers also offer Organization Validation (OV) and Extended Validation (EV) certificates that verify the legal identity of the organization, not just domain ownership. For encryption and browser trust indicators, there is no difference.
How often should I check my SSL certificate?
At minimum, check after any server or DNS change. If you’re using Let’s Encrypt with auto-renewal, check monthly to confirm the renewal process is working. For certificates with longer validity periods (1 year), set a reminder 30 days before expiration. Automated monitoring is better than manual checks for production sites – but this tool is useful for spot checks and troubleshooting.
How this tool works
This tool runs entirely in your browser and our server. We detect your IP address server-side, then perform DNS and WebRTC checks client-side. No account is needed and no personal data is stored beyond anonymous aggregate statistics.
Results are based on real-time checks against your current connection. For the most accurate results, ensure your VPN is fully connected before running the test.
Myth: VPN speed tests tell the whole story. Reality: Speed varies by server, time of day, protocol, distance, and your base connection. One test means nothing.