SSL Certificate Checker - Verify HTTPS Security

About This Tool

Check any domain's SSL certificate in seconds with this free SSL certificate checker. Enter a domain name to instantly verify its HTTPS certificate validity, view expiry dates, inspect issuer information, check HSTS configuration, and receive an A+ through F security grade. The tool queries Certificate Transparency logs and tests the live HTTPS connection to give you a complete picture of a site's TLS security posture. SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security) protect data transmitted between web browsers and servers through encryption. Every website handling login credentials, payment information, or personal data needs a valid SSL/TLS certificate. Expired or misconfigured certificates trigger browser warnings that drive visitors away and can expose sensitive information to interception. Site operators, security auditors, and developers use SSL checkers to monitor certificate health, verify proper configuration after renewals, and confirm that security headers like HSTS are active. This checker provides actionable results without requiring an account or installation. You get certificate details, SAN (Subject Alternative Name) coverage, HSTS header analysis, and a clear security grade that summarizes the overall TLS configuration quality. Use it to audit your own domains before they expire or to evaluate the security stance of third-party services you depend on.

Understanding SSL/TLS Security Grades

The security grade reflects the overall strength of a domain's HTTPS configuration:

A+ indicates a valid certificate combined with a strong HSTS policy (max-age of at least one year and includeSubDomains enabled). This is the gold standard for production websites.
A means the certificate is valid and HSTS is present, but the policy may lack includeSubDomains or have a shorter max-age value.
B signals a valid certificate without any HSTS header. The site encrypts traffic but does not instruct browsers to always use HTTPS, leaving users vulnerable to downgrade attacks on first visits.
C warns that the certificate is valid but will expire within 30 days. Immediate renewal is needed to prevent browser warnings and service interruption.
F means the connection failed, the certificate is expired, or no valid certificate was found. Visitors will see full-page security warnings in their browsers.

What Certificate Transparency Reveals

Certificate Transparency (CT) is a public logging system that records every SSL/TLS certificate issued by participating Certificate Authorities. When a CA issues a certificate for your domain, it gets logged to CT servers that anyone can query. This serves multiple purposes:

Detecting unauthorized certificates: If someone fraudulently obtains a certificate for your domain, you can find it in CT logs before it gets used in an attack.
Monitoring issuance history: View all certificates ever issued for a domain, including wildcard certs, to verify that only authorized CAs have issued certificates.
Identifying SAN coverage: See exactly which domain names and subdomains are covered by each certificate, useful for verifying multi-domain SSL configurations.

This checker queries CT logs to retrieve certificate metadata including the issuer, validity period, and complete SAN list without needing direct access to the server's certificate chain.

HSTS and Why It Matters

HTTP Strict Transport Security (HSTS) is a response header that instructs browsers to only communicate with a domain over HTTPS. Without HSTS, a user typing "example.com" into their address bar may first connect over unencrypted HTTP before being redirected to HTTPS. During that brief HTTP connection, an attacker on the same network could intercept traffic or redirect the user to a phishing site. HSTS eliminates this window by telling browsers to skip HTTP entirely after the first secure visit.

Key HSTS parameters:

max-age: Duration in seconds that browsers should remember to use HTTPS. A value of 31536000 (one year) is recommended for production sites.
includeSubDomains: Extends the HSTS policy to all subdomains. Without this, sub.example.com could still be accessed over HTTP even if example.com has HSTS.
preload: Allows the domain to be included in browser HSTS preload lists, enforcing HTTPS even on the very first visit before any headers are received.

Common SSL Certificate Problems

Several issues can cause SSL certificate failures or browser warnings:

Expired certificate: The most common problem. Certificates have fixed validity periods (typically 90 days for Let's Encrypt or 1-2 years for commercial CAs). Set up automated renewal or monitoring alerts well before expiration.
Domain name mismatch: The certificate's Common Name or SAN list does not include the domain being accessed. This happens when accessing a site via a subdomain not covered by the certificate.
Incomplete certificate chain: The server is not sending intermediate certificates needed to link the site's certificate back to a trusted root CA. Some browsers can fetch missing intermediates, but others will show an error.
Mixed content: The page loads over HTTPS but includes resources (images, scripts, stylesheets) over HTTP. Modern browsers block mixed active content and warn about mixed passive content.
Self-signed certificate: The certificate was not issued by a trusted CA. Only acceptable for internal development environments, never for public-facing sites.

Frequently Asked Questions

How often should I check my SSL certificate?

Check your SSL certificate at least once a month, and always after a renewal or server configuration change. If you use short-lived certificates (90-day validity from Let's Encrypt), monitor weekly. Many outages happen because automated renewal failed silently, and the first sign of trouble is an angry customer seeing a browser warning. Setting up automated monitoring or calendar reminders 30 days before expiry prevents these surprises.

What is the difference between SSL and TLS?

SSL (Secure Sockets Layer) is the original encryption protocol for web traffic, with versions 1.0 through 3.0 released in the 1990s. TLS (Transport Layer Security) is its successor, starting at version 1.0 in 1999. All SSL versions are now deprecated due to security vulnerabilities. Modern HTTPS connections use TLS 1.2 or TLS 1.3, which offer stronger encryption and faster handshakes. The term "SSL certificate" persists in common usage, but the certificates themselves work with both protocols and are technically X.509 certificates.

Why does my site show a grade of B instead of A?

A grade of B means your SSL certificate is valid but your server is not sending the Strict-Transport-Security (HSTS) header. Without HSTS, browsers may attempt an insecure HTTP connection before redirecting to HTTPS. To upgrade to an A, add the HSTS header to your server configuration. For Apache, use Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains". For Nginx, use add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;. After adding HSTS with includeSubDomains and a max-age of at least one year, your grade should reach A+.

What are Subject Alternative Names (SANs)?

Subject Alternative Names are additional domain names covered by a single SSL certificate. A certificate for example.com might also include SANs for www.example.com, api.example.com, and mail.example.com. Wildcard certificates use *.example.com to cover all direct subdomains. SANs replaced the older Common Name field as the primary way to bind domains to certificates. Modern browsers check the SAN list first and some ignore the Common Name entirely. When ordering or renewing certificates, verify that all domains and subdomains your users access are included in the SAN list.

Can I use a free SSL certificate for production?

Yes. Free certificates from providers like Let's Encrypt provide the same encryption strength as paid certificates. The encryption algorithms and key sizes are identical. Paid certificates may offer extended validation (EV), which displays the organization name in some browsers, warranty coverage if the CA is compromised, and longer validity periods. For most websites, a free domain-validated (DV) certificate with automated renewal provides adequate security. The important factors are proper configuration, timely renewal, and enabling HSTS rather than whether the certificate was free or paid.