🔒 SSL Certificate Checker

Check the SSL/TLS certificate history for any domain — issuer, validity dates, days remaining, common name, and SANs — sourced live from public Certificate Transparency logs. Free, unlimited, browser-only.

Examples: github.com   cloudflare.com   wikipedia.org
🕒 Recent Lookups
No recent lookups yet.

📚 What Is an SSL/TLS Certificate?

An SSL/TLS certificate is a digitally signed file that binds a public key to a domain name, issued by a trusted Certificate Authority (CA) after verifying the requester controls that domain. It powers HTTPS: encrypting traffic between browser and server, and proving to visitors that they're actually talking to the real site rather than an impersonator.

This tool reads that history from Certificate Transparency (CT) logs — public, append-only, cryptographically verifiable logs that every CA must publish issued certificates to for their certificates to be trusted by Chrome and other major browsers. That means you can see every certificate ever issued for a domain, not just the one currently live.

📋 Certificate Fields Explained

FieldMeaning
Common Name (CN)The primary hostname the certificate was issued for
SANEvery additional hostname the certificate secures — browsers check this list, not just CN
IssuerThe Certificate Authority that signed and issued the certificate
Not BeforeDate the certificate becomes valid
Not AfterExpiry date — the certificate is invalid after this date
Serial NumberUnique identifier assigned by the issuing CA

⚠️ What This Tool Does Not Show

Certificate Transparency logs record issuance, not the live server handshake. This tool won't show which certificate a server is presenting right now, its cipher suites, supported TLS versions, HSTS status, or an SSL grade — those require an active connection to the server. For a full live TLS/cipher/grade audit, pair this with our Security Headers Checker or an external scanner like Qualys SSL Labs.

🛡️ Use Cases

Expiry Monitoring
Quickly see the most recent certificate's expiry date and days remaining before renewing manually or auditing an automated renewal pipeline.
🔍
Subdomain Discovery
SAN lists on wildcard and multi-domain certificates often reveal subdomains you didn't know existed — useful for security audits and attack-surface mapping.
🔐
Issuer Verification
Confirm certificates are coming from your expected CA. An unexpected issuer in the CT history can indicate a misconfiguration or, rarely, unauthorized issuance.
📈
Migration Verification
After moving hosting or CDN providers, confirm the new certificate has been issued and covers all required hostnames before cutting over DNS.

🔗 More Ways to Investigate Domain Security

Check response security headers with Security Headers Checker, confirm DNS setup with DNS Lookup, and verify email authentication with SPF Lookup and DKIM Lookup. Read our guides: What Is SSL/TLS? and How to Fix an Expired SSL Certificate.

FAQ

How does this SSL Certificate Checker work? +
It queries public Certificate Transparency logs, which every CA must publish issued certificates to for browser trust. This reveals every certificate ever issued for a domain without contacting the server directly.
What is Certificate Transparency? +
CT (RFC 9162) requires CAs to log every issued certificate to public, append-only, tamper-evident logs. Chrome and other browsers require CT compliance for a certificate to be trusted.
Why does a domain show multiple certificates? +
Certificates typically last 90–398 days and get reissued repeatedly. Wildcard and multi-SAN certificates, plus staging/production splits, also multiply the count shown.
What does days remaining mean? +
Days until the most recent certificate's Not After date. Past that, browsers block the site with a certificate-expired warning by default.
What is a SAN in an SSL certificate? +
Subject Alternative Name — every hostname a certificate is valid for. Browsers require the visited hostname to appear in SAN, not just match the Common Name.
Who are the major free SSL issuers? +
Let's Encrypt is the largest, issuing short-lived 90-day DV certificates automatically via ACME. ZeroSSL, Google Trust Services, DigiCert, Sectigo, and Amazon are also common in CT logs.
What is the difference between DV, OV, and EV certificates? +
DV only confirms domain control. OV additionally verifies the organization is real. EV requires the most rigorous vetting. Modern browsers show all three identically in the address bar.
Does this tool check my live TLS configuration? +
No — CT logs show issuance history, not the live handshake, cipher suites, or protocol version. Use a dedicated live scanner like Qualys SSL Labs for that.
Why is no certificate showing for my domain? +
Either no publicly trusted certificate exists, it uses a private CA outside CT scope, or the hostname is only covered by a wildcard on the parent domain — try the root domain instead.
Can I check certificate history for a domain I don't own? +
Yes. CT logs are public by design specifically so certificate issuance is auditable by anyone, not just the domain owner.
What is a wildcard SSL certificate? +
A certificate like *.example.com that secures the base domain plus every direct first-level subdomain — it won't cover multi-level subdomains like a.b.example.com.
How do I renew an expiring SSL certificate? +
With Let's Encrypt/Certbot, renewal is usually automatic via cron/systemd — verify it's running. For commercial CAs, reissue via your provider's dashboard before expiry.
Is this SSL Certificate Checker free? +
Yes — completely free, unlimited lookups, no sign-up. Results are pulled live from public Certificate Transparency log search services.