Skip to content
D1
EN

Certificate audit

SSL Certificate Checker

Verify certificate validity, expiration, issuer, SANs and negotiated TLS details for any host.

This form calls the relative endpoint: /site-api/tools/ssl

How to use the SSL certificate checker

  1. Enter a hostname (port 443 implied unless your stack uses a custom TLS port documented in your runbook). The tool opens a TLS connection and retrieves the presented certificate chain — no browser padlock UI required.
  2. Review subject, issuer, validity dates, SAN list, chain completeness, and negotiated TLS version. Missing intermediates show up as shortened chains that fail on strict clients even when Chrome appears fine.
  3. Compare SAN coverage with the URL users actually visit — apex vs www, staging subdomains, and API hosts each need explicit names or wildcards. Copy chain details into renewal tickets or compliance packets.
  4. Re-check after DNS cutovers using DNS Checker first — pointing at the wrong IP makes SSL checks diagnose the wrong server. Recent lookups stay in local browser history; DN01 does not operate a certificate transparency search engine or multi-year expiry dashboard unless you automate via API.

SSL certificate fields explained

TLS certificates bind identities to public keys. The table maps common fields to operator questions during renewals, migrations, and incident response. Certificate validity does not prove site safety — a phishing domain can obtain DV certs. Pair SSL results with WHOIS age, HTTP security headers, and DNS Checker records before trusting a host.

FieldWhat to verifyTypical value
Subject / CNPrimary hostname on the certificateCN=www.example.com
SANAll hostnames covered by the certexample.com, www.example.com
IssuerCertificate authority that signed the leafLet's Encrypt R3
Valid from / toNot-before and not-after window2025-01-01 — 2025-04-01
ChainIntermediate certs between leaf and trust storeLeaf → R3 → ISRG Root X1
TLS versionNegotiated protocol with the hostTLS 1.3
Signature algorithmHash and key type for the leafECDSA with SHA-256
SerialUnique cert identifier for revocation lookups03:ab:cd:...
OCSP / CRLRevocation mechanism hintsOCSP stapling if configured

When to run an SSL certificate check

Run before and after renewals, CA migrations, or Let's Encrypt rate-limit incidents. Expiry within thirty days should trigger automation or manual reissue — the checker reads live not-after dates from the wire, not calendar reminders in your inbox.

After CDN or origin moves, confirm the new edge presents the intended cert SAN list. Customers hitting www while the cert covers only apex (or reverse) see browser warnings despite «working» curl from ops laptops with Host header tricks.

Chain completeness issues surface as Android or Java failures while desktop Safari succeeds. Inspect intermediate certificates in the checker output and install the CA bundle your provider documents. DIG on CAA before blaming the CA — restrictive CAA blocks issuance silently until DNS fixes land.

Compliance questionnaires ask for TLS version and cipher posture. The checker reports negotiated protocol versions useful for «TLS 1.2+ only» attestations — not a full PCI ASV scan replacement.

Incident response on suspected MITM compares issuer and serial against known good archives you maintain. DN01 shows current wire presentation only — not historical CT log diffs or enterprise inventory unless you script API snapshots yourself.

Multi-tenant SaaS on wildcard certs should still list customer vanity domains explicitly when tenants bring BYO certificates — wildcard *.platform.com does not cover tenant.com without SAN or separate cert.

IoT fleets with long-lived devices may trust expired roots — server-side TLS 1.3 upgrade breaks legacy firmware; certificate checker on prod hostname documents what modern clients see while product teams assess embedded trust stores separately.

Load balancer health checks using self-signed certs on backend pools do not affect public leaf cert — keep public SSL checker focused on customer-facing VIP hostnames during infra drills.

Troubleshooting certificate errors

Hostname mismatch means the cert SAN list lacks the label in your URL — fix DNS CNAME/A to a covered name or reissue with correct SANs. Wildcards cover one level (*.example.com) not nested api.staging.example.com unless explicitly listed.

Expired or not-yet-valid certs clock-skew on servers — verify NTP on origin VMs. Renewal automation may have failed while HTTP validation paths broke due to A record drift — DNS Checker first, then SSL checker.

Untrusted issuer or incomplete chain: install intermediates on the origin or CDN, not only the leaf. Some panels upload leaf only; browsers cache AIA fetches that strict APIs disallow.

TLS version too low: upgrade web server or load balancer configs. Legacy clients forcing TLS 1.0 may still fail after server hardening — separate product decision from cert validity itself.

OCSP stapling missing is not always fatal — some clients fetch OCSP live. Note stapling in checker output when hardening high-traffic sites to reduce handshake latency and privacy leaks.

Certificates, CAA, and HTTP validation

HTTP-01 and TLS-ALPN-01 validation require reachable hosts on the names in the CSR. DNS Checker confirms A/AAAA before SSL troubleshooting — chasing chain errors on an IP that no longer belongs to you wastes hours.

CAA DNS records restrict which CAs may issue. DIG or DNS Checker on CAA before opening CA support tickets. Zero issue tags mean only listed CAs can sign; accidental CAA during copy-paste templates blocks renewals until removed.

HSTS and redirect headers from HTTP header checker reduce accidental http-01 failures when http URLs must answer with specific tokens. Mixed content and CSP do not change cert validity but break lock icons — layer header review after chain is sound.

DN01 SSL checker connects from our infrastructure — a pass here does not guarantee every geographic vantage sees the same cert on multi-CDN setups. For geo-specific edge certs, sample from multiple networks or use your CDN's cert status panel; we do not map global edge presentation.

Private CAs for internal mTLS do not appear in public trust stores — checker against internal hostnames still validates wire presentation for ops debugging even when public browsers would reject the same issuer.

Five-step TLS renewal workflow

  1. DNS Checker on all names in the CSR/SAN list — A, AAAA, CNAME must reach the validation endpoint.
  2. DIG CAA if prior issuances failed mysteriously — remove overly strict issue tags if policy allows.
  3. Issue or renew at your CA; install full chain on origin/CDN.
  4. SSL Certificate Checker on every public hostname variant (apex, www, api).
  5. HTTP header checker for HSTS and redirect rules; archive outputs — DN01 does not retain shared renewal calendars.

SSL checker vs SSL Labs and monitor services

Qualys SSL Labs delivers deep grades, cipher suites, and vulnerability narratives — excellent for quarterly audits, slower for «is today's cert expired?» DN01 optimizes fast chain and SAN verification with companion DNS and header tools on one domain — not a replacement for Labs when you need exhaustive cipher scoring.

Uptime monitors ping expiry weekly and page on-call. DN01 browser checks are manual or API-driven snapshots without bundled paging — honest scope for operators who already own monitoring but need a quick cert read during incidents.

Browser padlock UIs hide chain details and may cache prior states. Wire-level checker bypasses browser cache for the hostname you type. We do not install browser extensions or MITM corporate roots — standard TLS handshake from our fetchers.

No fake «A+» marketing badge, no claim to scan entire subnets, no propagation maps. Accurate leaf-and-chain readout, eight locales, local history, API for scripts — pair with WHOIS and Blacklist Checker when investigating suspicious hosts, not when cert alone should grant trust.

Renewal calendars in enterprise PKI teams track every SAN and intermediate — DN01 does not replace those systems. Use our checker when an on-call engineer needs immediate wire truth during a Sev2, then file the screenshot into your existing CMDB or ticket queue where long-term cert inventory actually lives.

Certificate pinning in mobile apps breaks silently when you rotate leaf certs without app updates — SSL checker validates public TLS while app teams manage pin hashes in release trains; keep both workstreams linked in major rotation projects.

EV certificate organizational fields rarely appear in modern DV-heavy stacks — do not expect extended validation metadata in checker output unless your CA and purchase tier actually issue EV; focus on SAN and chain for typical Let's Encrypt deployments.

TLS 1.0 sunset projects should test legacy integration partners after disabling old protocols — checker documents successful modern handshake while partner teams update their clients on separate timelines.

Self-signed certs in staging intentionally fail public trust — use checker to confirm expected issuer CN matches your internal CA naming standard before promoting config to production keystores.

Certificate transparency logs help detect mis-issued certs — DN01 does not search CT logs; wire check complements but does not replace CT monitoring products.

mTLS between microservices uses internal CAs — public SSL checker on internal DNS names still helps debug handshake failures during mesh upgrades when operators lack openssl on jump boxes.

Why use DN01 SSL Certificate Checker

  • Live chain, SAN, issuer, and validity from a TLS handshake — faster than full SSL Labs for spot checks.
  • Works alongside DNS Checker, DIG, HTTP header checker, and WHOIS for migration and incident workflows.
  • Eight localized interfaces, copy-friendly output, local recent history, documented API — no CT log warehouse.
  • Honest boundaries: wire snapshot from our path, not worldwide edge cert maps or PCI scanning.

FAQ

SSL certificate checker FAQ

Certificate expiry, issuer, chain, and hostname coverage checks.

What does the SSL checker validate?

It connects to the host and reports certificate subject, issuer, validity dates, SAN coverage, and chain details. Start with SSL certificate expiry check if expiry is your main concern.

Why can a certificate look valid but still fail?

Common causes include missing intermediate certificates, hostname mismatch, expired roots, or clients using an old trust store. The certificate chain guide covers chain basics.

Should I check DNS before SSL?

If the wrong server answers, SSL checks can mislead you. Confirm A/AAAA or CNAME records in DNS Checker before digging into the certificate.

Can certificate monitoring be automated?

Yes. The browser page is for quick checks; recurring expiry checks can use the API docs once you request an API token.

What is a SAN certificate?

Subject Alternative Names list every hostname covered by one certificate — for example apex and www. Mismatch errors often mean the cert lacks the exact name the browser requested.

How early should I renew SSL certificates?

Most operators renew at 30 days before expiry; automation with Let's Encrypt often renews sooner. Use this checker weekly on production hosts during migration windows.

Does the checker test TLS version and ciphers?

It reports negotiated TLS details where available. For deep cipher audits you may still need specialized scanners — DN01 focuses on certificate validity, chain, and hostname fit operators need daily.

Why does SSL fail on IP addresses?

Public CAs rarely issue certificates for raw IPs. Check the hostname on the certificate matches the name users type — CNAME chains can hide mismatches until someone visits the apex directly.

Can I check mail server certificates?

Enter the MX hostname or SMTP TLS endpoint host. Mail STARTTLS uses the same X.509 basics — expiry and hostname coverage — even though browsers never show that connection.

What is certificate chain order?

Servers should send leaf, intermediates, and optionally root. Missing intermediates cause random failures on strict clients even when Chrome looks fine. The checker shows the chain returned by the live host.

Is the SSL checker free?

Yes for manual lookups. Automated expiry monitoring uses the API docs with an API token.

Should I pair SSL with HTTP headers?

Yes. HSTS and redirect headers from HTTP Header Checker explain whether browsers will ever reach your new certificate on the first hop.

Tool switcher

Pick the next step in your domain or security workflow.

Full tool catalog

Guides

Practical guides for common SSL Certificate Checker tasks — DNS records, troubleshooting steps, and links to our free tools.

Back to SSL Certificate Checker