Certificate audit
SSL Certificate Checker
Verify certificate validity, expiration, issuer, SANs and negotiated TLS details for any host.
How to use the SSL certificate checker
- Enter a hostname (port 443 implied unless your stack uses a custom TLS port documented in your runbook). The tool opens a TLS connection and retrieves the presented certificate chain — no browser padlock UI required.
- Review subject, issuer, validity dates, SAN list, chain completeness, and negotiated TLS version. Missing intermediates show up as shortened chains that fail on strict clients even when Chrome appears fine.
- Compare SAN coverage with the URL users actually visit — apex vs www, staging subdomains, and API hosts each need explicit names or wildcards. Copy chain details into renewal tickets or compliance packets.
- Re-check after DNS cutovers using DNS Checker first — pointing at the wrong IP makes SSL checks diagnose the wrong server. Recent lookups stay in local browser history; DN01 does not operate a certificate transparency search engine or multi-year expiry dashboard unless you automate via API.
SSL certificate fields explained
TLS certificates bind identities to public keys. The table maps common fields to operator questions during renewals, migrations, and incident response. Certificate validity does not prove site safety — a phishing domain can obtain DV certs. Pair SSL results with WHOIS age, HTTP security headers, and DNS Checker records before trusting a host.
| Field | What to verify | Typical value |
|---|---|---|
| Subject / CN | Primary hostname on the certificate | CN=www.example.com |
| SAN | All hostnames covered by the cert | example.com, www.example.com |
| Issuer | Certificate authority that signed the leaf | Let's Encrypt R3 |
| Valid from / to | Not-before and not-after window | 2025-01-01 — 2025-04-01 |
| Chain | Intermediate certs between leaf and trust store | Leaf → R3 → ISRG Root X1 |
| TLS version | Negotiated protocol with the host | TLS 1.3 |
| Signature algorithm | Hash and key type for the leaf | ECDSA with SHA-256 |
| Serial | Unique cert identifier for revocation lookups | 03:ab:cd:... |
| OCSP / CRL | Revocation mechanism hints | OCSP stapling if configured |
When to run an SSL certificate check
Run before and after renewals, CA migrations, or Let's Encrypt rate-limit incidents. Expiry within thirty days should trigger automation or manual reissue — the checker reads live not-after dates from the wire, not calendar reminders in your inbox.
After CDN or origin moves, confirm the new edge presents the intended cert SAN list. Customers hitting www while the cert covers only apex (or reverse) see browser warnings despite «working» curl from ops laptops with Host header tricks.
Chain completeness issues surface as Android or Java failures while desktop Safari succeeds. Inspect intermediate certificates in the checker output and install the CA bundle your provider documents. DIG on CAA before blaming the CA — restrictive CAA blocks issuance silently until DNS fixes land.
Compliance questionnaires ask for TLS version and cipher posture. The checker reports negotiated protocol versions useful for «TLS 1.2+ only» attestations — not a full PCI ASV scan replacement.
Incident response on suspected MITM compares issuer and serial against known good archives you maintain. DN01 shows current wire presentation only — not historical CT log diffs or enterprise inventory unless you script API snapshots yourself.
Multi-tenant SaaS on wildcard certs should still list customer vanity domains explicitly when tenants bring BYO certificates — wildcard *.platform.com does not cover tenant.com without SAN or separate cert.
IoT fleets with long-lived devices may trust expired roots — server-side TLS 1.3 upgrade breaks legacy firmware; certificate checker on prod hostname documents what modern clients see while product teams assess embedded trust stores separately.
Load balancer health checks using self-signed certs on backend pools do not affect public leaf cert — keep public SSL checker focused on customer-facing VIP hostnames during infra drills.
Troubleshooting certificate errors
Hostname mismatch means the cert SAN list lacks the label in your URL — fix DNS CNAME/A to a covered name or reissue with correct SANs. Wildcards cover one level (*.example.com) not nested api.staging.example.com unless explicitly listed.
Expired or not-yet-valid certs clock-skew on servers — verify NTP on origin VMs. Renewal automation may have failed while HTTP validation paths broke due to A record drift — DNS Checker first, then SSL checker.
Untrusted issuer or incomplete chain: install intermediates on the origin or CDN, not only the leaf. Some panels upload leaf only; browsers cache AIA fetches that strict APIs disallow.
TLS version too low: upgrade web server or load balancer configs. Legacy clients forcing TLS 1.0 may still fail after server hardening — separate product decision from cert validity itself.
OCSP stapling missing is not always fatal — some clients fetch OCSP live. Note stapling in checker output when hardening high-traffic sites to reduce handshake latency and privacy leaks.
Certificates, CAA, and HTTP validation
HTTP-01 and TLS-ALPN-01 validation require reachable hosts on the names in the CSR. DNS Checker confirms A/AAAA before SSL troubleshooting — chasing chain errors on an IP that no longer belongs to you wastes hours.
CAA DNS records restrict which CAs may issue. DIG or DNS Checker on CAA before opening CA support tickets. Zero issue tags mean only listed CAs can sign; accidental CAA during copy-paste templates blocks renewals until removed.
HSTS and redirect headers from HTTP header checker reduce accidental http-01 failures when http URLs must answer with specific tokens. Mixed content and CSP do not change cert validity but break lock icons — layer header review after chain is sound.
DN01 SSL checker connects from our infrastructure — a pass here does not guarantee every geographic vantage sees the same cert on multi-CDN setups. For geo-specific edge certs, sample from multiple networks or use your CDN's cert status panel; we do not map global edge presentation.
Private CAs for internal mTLS do not appear in public trust stores — checker against internal hostnames still validates wire presentation for ops debugging even when public browsers would reject the same issuer.
Five-step TLS renewal workflow
- DNS Checker on all names in the CSR/SAN list — A, AAAA, CNAME must reach the validation endpoint.
- DIG CAA if prior issuances failed mysteriously — remove overly strict issue tags if policy allows.
- Issue or renew at your CA; install full chain on origin/CDN.
- SSL Certificate Checker on every public hostname variant (apex, www, api).
- HTTP header checker for HSTS and redirect rules; archive outputs — DN01 does not retain shared renewal calendars.
SSL checker vs SSL Labs and monitor services
Qualys SSL Labs delivers deep grades, cipher suites, and vulnerability narratives — excellent for quarterly audits, slower for «is today's cert expired?» DN01 optimizes fast chain and SAN verification with companion DNS and header tools on one domain — not a replacement for Labs when you need exhaustive cipher scoring.
Uptime monitors ping expiry weekly and page on-call. DN01 browser checks are manual or API-driven snapshots without bundled paging — honest scope for operators who already own monitoring but need a quick cert read during incidents.
Browser padlock UIs hide chain details and may cache prior states. Wire-level checker bypasses browser cache for the hostname you type. We do not install browser extensions or MITM corporate roots — standard TLS handshake from our fetchers.
No fake «A+» marketing badge, no claim to scan entire subnets, no propagation maps. Accurate leaf-and-chain readout, eight locales, local history, API for scripts — pair with WHOIS and Blacklist Checker when investigating suspicious hosts, not when cert alone should grant trust.
Renewal calendars in enterprise PKI teams track every SAN and intermediate — DN01 does not replace those systems. Use our checker when an on-call engineer needs immediate wire truth during a Sev2, then file the screenshot into your existing CMDB or ticket queue where long-term cert inventory actually lives.
Certificate pinning in mobile apps breaks silently when you rotate leaf certs without app updates — SSL checker validates public TLS while app teams manage pin hashes in release trains; keep both workstreams linked in major rotation projects.
EV certificate organizational fields rarely appear in modern DV-heavy stacks — do not expect extended validation metadata in checker output unless your CA and purchase tier actually issue EV; focus on SAN and chain for typical Let's Encrypt deployments.
TLS 1.0 sunset projects should test legacy integration partners after disabling old protocols — checker documents successful modern handshake while partner teams update their clients on separate timelines.
Self-signed certs in staging intentionally fail public trust — use checker to confirm expected issuer CN matches your internal CA naming standard before promoting config to production keystores.
Certificate transparency logs help detect mis-issued certs — DN01 does not search CT logs; wire check complements but does not replace CT monitoring products.
mTLS between microservices uses internal CAs — public SSL checker on internal DNS names still helps debug handshake failures during mesh upgrades when operators lack openssl on jump boxes.
Why use DN01 SSL Certificate Checker
- Live chain, SAN, issuer, and validity from a TLS handshake — faster than full SSL Labs for spot checks.
- Works alongside DNS Checker, DIG, HTTP header checker, and WHOIS for migration and incident workflows.
- Eight localized interfaces, copy-friendly output, local recent history, documented API — no CT log warehouse.
- Honest boundaries: wire snapshot from our path, not worldwide edge cert maps or PCI scanning.
FAQ
SSL certificate checker FAQ
Certificate expiry, issuer, chain, and hostname coverage checks.
What does the SSL checker validate?
It connects to the host and reports certificate subject, issuer, validity dates, SAN coverage, and chain details. Start with SSL certificate expiry check if expiry is your main concern.
Why can a certificate look valid but still fail?
Common causes include missing intermediate certificates, hostname mismatch, expired roots, or clients using an old trust store. The certificate chain guide covers chain basics.
Should I check DNS before SSL?
If the wrong server answers, SSL checks can mislead you. Confirm A/AAAA or CNAME records in DNS Checker before digging into the certificate.
Can certificate monitoring be automated?
Yes. The browser page is for quick checks; recurring expiry checks can use the API docs once you request an API token.
What is a SAN certificate?
Subject Alternative Names list every hostname covered by one certificate — for example apex and www. Mismatch errors often mean the cert lacks the exact name the browser requested.
How early should I renew SSL certificates?
Most operators renew at 30 days before expiry; automation with Let's Encrypt often renews sooner. Use this checker weekly on production hosts during migration windows.
Does the checker test TLS version and ciphers?
It reports negotiated TLS details where available. For deep cipher audits you may still need specialized scanners — DN01 focuses on certificate validity, chain, and hostname fit operators need daily.
Why does SSL fail on IP addresses?
Public CAs rarely issue certificates for raw IPs. Check the hostname on the certificate matches the name users type — CNAME chains can hide mismatches until someone visits the apex directly.
Can I check mail server certificates?
Enter the MX hostname or SMTP TLS endpoint host. Mail STARTTLS uses the same X.509 basics — expiry and hostname coverage — even though browsers never show that connection.
What is certificate chain order?
Servers should send leaf, intermediates, and optionally root. Missing intermediates cause random failures on strict clients even when Chrome looks fine. The checker shows the chain returned by the live host.
Is the SSL checker free?
Yes for manual lookups. Automated expiry monitoring uses the API docs with an API token.
Should I pair SSL with HTTP headers?
Yes. HSTS and redirect headers from HTTP Header Checker explain whether browsers will ever reach your new certificate on the first hop.
Tool switcher
Continue with another check
Pick the next step in your domain or security workflow.
- Domain IP LookupA and AAAA IP addresses for a domainOpen
- Blacklist CheckerDNSBL reputation for IP and domainOpen
- BIN CheckerCard brand, bank and country from BIN/IINOpen
- HTTP/2 TesterHTTP/2 support, ALPN and TLS negotiationOpen
- HTTP Header CheckerResponse headers, redirects and cachingOpen
- DNS CheckerAll major record types in one passOpen
- DIGOne record type, resolver-style answerOpen
- WHOISRegistrar, expiry and domain statusOpen
- Punycode ConverterUnicode ↔ Punycode for IDN domainsOpen
- IP CalculatorSubnet math for IPv4 and IPv6 CIDROpen
- Base64 CodecEncode and decode Base64 textOpen
- Password GeneratorStrong random passwords for ops workOpen
- Passphrase GeneratorMemorable random word phrases for safer sharing testsOpen
Related articles
Practical guides for common SSL Certificate Checker tasks — DNS records, troubleshooting steps, and links to our free tools.
ssl certificate expiry check, check ssl expiration online, certificate validity date
SSL Certificate Expiry Check — Verify Online
How to check SSL certificate expiration online, read notAfter dates, understand browser errors, and prevent HTTPS outages before certificates expire.
Read article →tls vs ssl difference, what is tls 1.3, ssl tls explained
TLS vs SSL — Protocol Names Explained
Clear explanation of TLS vs SSL naming, why tools say SSL checker, TLS 1.2 vs 1.3 in production, and how to read negotiated protocol in results.
Read article →ssl certificate chain, intermediate certificate, root ca trust store
SSL Certificate Chain — Trust and Intermediate CAs
How SSL certificate chains work, why missing intermediates cause untrusted errors, and how to verify the full chain online.
Read article →lets encrypt renewal, acme ssl renew, certbot auto renew check
Let's Encrypt Renewal — Avoid 90-Day Surprises
How Let's Encrypt 90-day certificates renew, ACME HTTP-01 vs DNS-01, verifying renewal with an SSL checker, and fixing failed auto-renew jobs.
Read article →ssl certificate error fix, certificate name mismatch, ssl troubleshooting guide
SSL Certificate Errors — Troubleshooting Guide
Fix common SSL errors: name mismatch, untrusted chain, expired cert, mixed content, and SNI issues using online checkers and DNS/WHOIS context.
Read article →tls version hardening, disable tls 1.0 1.1, ssl protocol check
TLS Version Hardening — Disable Legacy Protocols
Check negotiated TLS versions and plan deprecation of TLS 1.0/1.1 on public hosts.
Read article →certificate transparency monitoring, ct log ssl cert, unexpected tls cert
Certificate Transparency — Catch Unexpected Certs
Why CT matters for security teams and how SSL checks complement CT monitors.
Read article →