SiteTrak

SSL / TLS Certificate Checker

Inspect the TLS certificate for any domain. See issuer, expiry, SANs, TLS version, and the full chain - everything you need to know before a cert silently expires.

What it checks

Every field that decides whether browsers trust you.

One connection, one report - issuer, expiry, SANs, TLS version, and chain.

Issuer & subject

Who issued the certificate (Let's Encrypt, DigiCert, Sectigo, Google Trust Services) and which domain it was issued to.

Validity window

Valid-from and valid-to dates, and exactly how many days remain before expiry. The single most common cause of sudden outages.

Subject Alternative Names

Every domain the certificate covers - apex, www, subdomains, and wildcards. If a name is missing, browsers will reject the connection.

TLS version

The negotiated protocol. TLS 1.3 is the modern default; TLS 1.2 is acceptable; anything older is a compliance failure.

Certificate chain

The full chain from your leaf cert up through intermediates to the trusted root. A missing intermediate is the second most common SSL outage.

Key & signature

Public-key algorithm and size (RSA 2048, ECDSA P-256), and the signature algorithm used by the issuer (SHA-256, SHA-384).

How it works

From domain to full cert read-out in about a second.

No openssl, no s_client incantations - just paste and read.

01

Paste a domain

Apex or subdomain - example.com, www.example.com, api.example.com. No need to include https://.

02

Run the check

We open a TLS connection to the host on port 443 from our edge and read the certificate it presents.

03

Read the report

You'll see issuer, expiry, days remaining, all SANs, TLS version, and the full chain - everything you need to confirm the cert is healthy.

Why SSL matters

A bad cert is a closed front door.

Browsers show an unmissable warning, search engines downrank, payment processors refuse to talk to you. SSL has to just work.

Trust & user confidence

Modern browsers turn a broken certificate into a full-screen red warning. Almost no user clicks through. An expired cert - even for 30 minutes - is a total outage, with the bonus of scaring off every visitor who saw the warning.

Compliance

PCI-DSS requires TLS 1.2 or higher. HIPAA, GDPR, and SOC 2 controls all assume transport encryption is in place. A downgrade to TLS 1.0 or a self-signed cert in production is an audit finding waiting to happen.

SEO

Google has used HTTPS as a ranking signal since 2014, and Chrome flags HTTP pages as "Not Secure" in the address bar. A broken cert effectively delists the page until you fix it.

Reference

TLS versions and certificate fields, explained.

What each field means, and which versions are safe to negotiate.

TLS 1.3

The current standard, released in 2018. Faster handshake (1-RTT, 0-RTT for resumed sessions), forward secrecy by default, dropped legacy ciphers. Aim for this.

TLS 1.2

Still widely used and acceptable for most purposes. PCI-DSS requires at least 1.2 since 2018. Don't downgrade below this.

TLS 1.0 / 1.1

Deprecated and disabled in all major browsers since 2020. If your server still offers these, modern clients won't connect and audits will flag you.

Subject Alternative Names (SANs)

The list of hostnames the certificate is valid for. Modern certs ignore the legacy Common Name field - if the host isn't in the SANs, the browser shows a warning.

Wildcard certificates

A SAN like *.example.com covers any single label - api.example.com, www.example.com - but not deeper subdomains or the apex example.com itself.

Days to expiry

Set alerts at 30, 14, and 7 days. Let's Encrypt certs only last 90 days; even DV certs from commercial CAs now cap at 398 days.

FAQ

Frequently asked questions.

Quick answers about the checker and how to use it well.

Why does my browser say my certificate is fine but this tool flags it?

Browsers cache OCSP and intermediate certs aggressively. A first-time visitor or a new device might fail where your warm browser succeeds. This tool checks the connection cold, which is closer to what real users see.

What's the difference between a missing intermediate and an expired cert?

An expired cert is invalid - every client rejects it. A missing intermediate is a server config issue - your leaf cert might be perfectly valid, but the server isn't sending the chain to prove it, so clients without a cached intermediate fail. Both look like the same outage.

Does this work for self-signed certs?

Yes - we'll show the cert details and explicitly call out that it's self-signed or untrusted. Useful for inspecting internal or staging environments.

Can I check a non-standard port?

This tool checks port 443 (standard HTTPS). For other ports (993 IMAP, 587 SMTP, 5432 Postgres, etc.) you'll need a CLI tool like openssl s_client.

How often should I check my SSL?

On every certificate renewal, and any time you change CDN or load balancer config. For continuous coverage, SiteTrak checks SSL every few hours and alerts at 30 / 14 / 7 days before expiry - and the moment the cert breaks.

Is this tool really free?

Yes - no signup, no email harvesting. We rate-limit per-IP to keep it fast for everyone. The paid product is the monitoring side: scheduled checks and expiry alerts.

Keep going

Other free tools you'll like.

Run one once, or set up SiteTrak and never run them again.

HTTP Header Inspector

Inspect response headers, CDN, cache configuration, and security policy for any URL.

Security Headers

Grade your site's security headers (HSTS, CSP, X-Frame-Options) and get a letter score.

DNS Lookup

Query A, AAAA, MX, TXT, CNAME, and NS records for any domain.

Redirect Checker

Trace every hop - including HTTP-to-HTTPS - in a redirect chain.

Check it once. Or have SiteTrak watch it forever.

Start monitoring free Try a free tool