DNS Studio tool

Check your SSL certificate clearly.

Enter a domain to see whether its certificate is valid and trusted, exactly when it expires, and what to do if something needs attention — in plain English, with full technical detail one click away.

Validity & trustExpiry countdownFull chain

No result yet

Enter a domain to check its SSL certificate.

More DNS Studio checks

What this check means

Every site served over HTTPS presents an SSL certificate — a signed statement that says “this server is allowed to answer for this domain”. Before your browser shows a page, it checks that statement: is the certificate still within its validity dates, does it actually name the domain in the address bar, and was it issued by a certificate authority the browser trusts, through an unbroken chain of signatures?

This tool runs the same checks a browser would, then explains the outcome. It connects to your domain on port 443, reads the certificate the server presents, and reports the result as Passed, Warning or Failed — with an expiry countdown, because expiry is the single most common way a working site suddenly starts showing security warnings. If you want the raw material, switch to Tech mode for the full chain, the Subject Alternative Names, fingerprints and key details.

Common issues

How to fix them

Almost every certificate problem has the same shape of fix: issue a fresh certificate that covers the right names, and install it together with its full chain. If your hosting provider or CDN manages HTTPS for you, renewal is usually a button — or already automatic, in which case the fix is finding out why the automation stopped. If you manage your own server, an ACME client such as Certbot renews a free Let’s Encrypt certificate on a schedule and installs the chain correctly.

After any change, run the check again. Certificates take effect as soon as the server reloads, so the result reflects reality immediately — there is no propagation delay as there is with DNS.

Technical reference

The check performs a TLS handshake with SNI set to your domain and reads the presented certificate chain — it never follows redirects and only ever connects on port 443. From the leaf certificate it reports the subject and issuer, Subject Alternative Names, validity dates and days remaining, serial number, signature algorithm, public key type and size, and the SHA-256 fingerprint. Hostname matching follows browser rules: exact or single-label wildcard matches against the SAN list, with Common Name considered only as a legacy fallback. The chain summary lists each certificate from leaf towards the root and notes whether the chain reaches a self-signed root or verifies against a public trust store.

Protocol-level detail — negotiated TLS versions, cipher suites, handshake timings — is a different job, and it has its own tool: tls.studio.

Related tools and articles