Online SSL Certificate Checker

Diagnose SSL/TLS installation issues. Verify Chain of Trust, expiry dates, and supported protocols (TLS 1.2/1.3).

EN TR RU

Input

Domain / Host

Output

The Handshake Behind the Lock: Understanding TLS/SSL

Establishing a secure connection is a complex negotiation called the "TLS Handshake." When a user visits your site, the browser and server must agree on a cipher suite, verify the server's identity, and exchange keys—all in milliseconds. If any part of this process fails, the connection drops or shows a warning. Our SSL Checker performs a deep scan of your server's configuration. It connects on port 443, retrieves the certificate details, and validates the "Subject Alternative Names" (SANs) to ensure your specific domain covers both `www` and non-www versions, as well as any subdomains.

Chain of Trust and Cross-Signing

A certificate is only as valid as its issuer. To trust your website's certificate (the Leaf), browsers must trace a path of digital signatures up to a trusted Root Certificate Authority (like DigiCert or ISRG Root X1) stored in their OS. This path is the "Chain of Trust." Often, servers fail to send the "Intermediate" certificates, causing errors on mobile devices or older systems while working fine on desktop. Our tool visualizes this hierarchy, alerting you immediately if the chain is broken or incomplete, saving you from elusive "it works on my machine" bug reports.

Protocol Support: TLS 1.2 vs 1.3

Security standards evolve. Old protocols like SSLv3, TLS 1.0, and TLS 1.1 are now considered insecure and are deprecated by major browsers and PCI-DSS standards due to vulnerabilities like POODLE or BEAST. Modern servers must support TLS 1.2 and ideally TLS 1.3 for better speed and security. This diagnostic tool checks which protocols your server accepts. If you are running an e-commerce site, ensuring you have disabled legacy protocols is not just a best practice; it is a compliance requirement.

FAQ
In common usage, they are synonymous. Technically, SSL (Secure Sockets Layer) is the old, deprecated protocol. TLS (Transport Layer Security) is the modern standard. Everyone says "SSL Certificate," but they actually mean "TLS Certificate."
This is often a "Name Mismatch" error. The certificate might be issued for `example.com` but you are visiting `sub.example.com`. Always check the SAN (Subject Alternative Name) field in the checker results.
You must renew the certificate with your Certificate Authority (CA) or hosting provider. After renewal, you usually need to install the new certificate files on your web server (Apache/Nginx/IIS) and restart the service.
A Wildcard certificate protects a domain and an unlimited number of its subdomains. It is denoted by an asterisk, for example, `*.google.com`. This is cost-effective for growing applications with many subdomains.
No! A Private Key should never be shared. This tool only analyzes the Public Certificate presented by your web server, which is public information available to anyone who visits your site.