DNS Studio tool
Check your SSL certificate clearly.
Enter a domain to see whether its certificate is valid and trusted, exactly when it expires, and what to do if something needs attention — in plain English, with full technical detail one click away.
Validity & trustExpiry countdownFull chain
No result yet
Enter a domain to check its SSL certificate.
More DNS Studio checks
What this check means
Every site served over HTTPS presents an SSL certificate — a signed statement that says “this server is allowed to answer for this domain”. Before your browser shows a page, it checks that statement: is the certificate still within its validity dates, does it actually name the domain in the address bar, and was it issued by a certificate authority the browser trusts, through an unbroken chain of signatures?
This tool runs the same checks a browser would, then explains the outcome. It connects to your domain on port 443, reads the certificate the server presents, and reports the result as Passed, Warning or Failed — with an expiry countdown, because expiry is the single most common way a working site suddenly starts showing security warnings. If you want the raw material, switch to Tech mode for the full chain, the Subject Alternative Names, fingerprints and key details.
Common issues
- An expired certificate. Certificates have a fixed lifetime — at most 398 days for publicly trusted ones, and often just 90. When the date passes, browsers warn users or refuse the connection. See why certificates expire.
- A name mismatch. The certificate is valid, but for different names — a
classic example is a certificate covering
www.example.comwhile visitors useexample.com, or vice versa. - An incomplete chain. The server sends its own certificate but not the intermediate certificates that link it to a trusted root. Some browsers repair this quietly; many other clients fail.
- A self-signed or untrusted certificate. Fine on a test bench, but public visitors will see a warning page instead of your site.
- Weak cryptography. Keys shorter than RSA 2048-bit or certificates signed with SHA-1 are rejected by modern clients.
How to fix them
Almost every certificate problem has the same shape of fix: issue a fresh certificate that covers the right names, and install it together with its full chain. If your hosting provider or CDN manages HTTPS for you, renewal is usually a button — or already automatic, in which case the fix is finding out why the automation stopped. If you manage your own server, an ACME client such as Certbot renews a free Let’s Encrypt certificate on a schedule and installs the chain correctly.
After any change, run the check again. Certificates take effect as soon as the server reloads, so the result reflects reality immediately — there is no propagation delay as there is with DNS.
Technical reference
The check performs a TLS handshake with SNI set to your domain and reads the presented certificate chain — it never follows redirects and only ever connects on port 443. From the leaf certificate it reports the subject and issuer, Subject Alternative Names, validity dates and days remaining, serial number, signature algorithm, public key type and size, and the SHA-256 fingerprint. Hostname matching follows browser rules: exact or single-label wildcard matches against the SAN list, with Common Name considered only as a legacy fallback. The chain summary lists each certificate from leaf towards the root and notes whether the chain reaches a self-signed root or verifies against a public trust store.
Protocol-level detail — negotiated TLS versions, cipher suites, handshake timings — is a different job, and it has its own tool: tls.studio.
Related tools and articles
- SSL expiry checker — the countdown view of this check.
- tls.studio — deep TLS protocol analysis.
- dkim.studio and bimi.studio — email signing and brand logo checks.
- What is an SSL certificate? — What certificates actually do, who issues them, and what browsers check before showing the padlock.
- SSL vs TLS: what is the difference? — Why everyone still says SSL, what TLS changed, and which term you should use where.
- Why certificates expire — and how renewal works — Certificate lifetimes, ACME and Let’s Encrypt, paid CAs, and how to stop expiry taking your site down.
- Common SSL errors explained — The NET::ERR_CERT_* family in plain English — what each browser error means and how to fix it.
- Wildcard vs SAN certificates — How one certificate covers many names, and how to choose between wildcards and SAN lists.
- How to check when an SSL certificate expires — Four ways to read a certificate’s expiry date — in your browser, with our checker, and from the command line.