IP IP Address Toolbox

SSL/TLS Certificate Checker

Connects to the server over TLS and shows the certificate's expiry, SANs, issuer, chain and TLS version. Warns when expiry is near.

🔒 Need to renew or buy a certificate? Consider affordable SSL certificates by Slogical.

What this SSL/TLS checker does

This tool opens a real TLS connection to the host you enter (port 443 by default) and reports the server certificate exactly as a browser would see it: the common name and SANs, the issuing CA, the validity dates and days remaining, the negotiated TLS version, and the full certificate chain up to the root. It also tells you whether the certificate matches the hostname and whether the chain validates against the system trust store.

Why it matters

The most common production outage that "nobody saw coming" is an expired certificate. Watch the Days remaining value — under 30 days the badge turns amber. A broken chain (missing intermediate) or a hostname mismatch will make browsers show a security warning even when the certificate itself is valid.

You can enter a port too, e.g. mail.example.com:465 for SMTPS or :993 for IMAPS.

For a deeper audit — OCSP revocation, CT logs, HSTS preload, HTTP/2 & HTTP/3, full cipher-suite list and an A+–F security score — use Slogical's detailed SSL install checker.

🔒 Need to renew or buy a certificate? See affordable SSL certificates by Slogical. Related reading: the SSL certificate chain and how to check certificate expiry.

Frequently asked questions

Does this tool work for expired or self-signed certificates?

Yes. The handshake is performed without aborting on validation errors, so the certificate details are always shown. Any trust or hostname problem is reported separately so you can still diagnose it.

Can I check a port other than 443?

Yes. Append the port, e.g. example.com:8443. The tool speaks TLS directly, so it works for HTTPS and other TLS services such as SMTPS (465) and IMAPS (993).

What does "days remaining" mean exactly?

It is the whole number of days between now (UTC) and the certificate's notAfter date. Renew well before it reaches zero — ideally 30 days ahead, which is also when automated ACME clients renew.