Skip to content
~/SSL Certificate Checker
$

SSL Certificate Checker

Generate OpenSSL commands to inspect certificates, decode PEM certificates client-side, and review SSL best practices.

Enter a domain above to generate OpenSSL commands.

What is an SSL/TLS certificate?

An SSL/TLS certificate is an X.509 document that binds a public key to a domain name, signed by a certificate authority that browsers already trust. During the TLS handshake the server presents it to prove its identity before any encrypted traffic flows. Inside you will find the subject, the issuer, a validity window, the Subject Alternative Names listing every covered hostname, and the public key β€” all of which this tool can decode.

How does this tool work?

Three tabs cover the full workflow. The OpenSSL Commands tab takes a domain and generates ready-to-copy commands for fetching and inspecting its certificate from your terminal. The Certificate Decoder parses any PEM certificate you paste β€” issuer, validity dates, SANs, and key details β€” entirely in your browser via a built-in ASN.1 parser, so nothing is uploaded. The Best Practices tab is a checklist of TLS configuration essentials.

How do I check an SSL certificate from the command line?

The workhorse is openssl s_client -connect example.com:443 -servername example.com, piped into openssl x509 -noout -dates to see expiry, or -text -noout for the full dump. The -servername flag matters: it sends SNI, and without it servers hosting multiple sites will hand you the wrong (often default) certificate. Enter your domain in the commands tab and these are generated for you with the hostname filled in.

Why did my SSL check fail?

The big four: an expired certificate (check notAfter), a hostname mismatch where the domain you visited is not in the SAN list, an incomplete chain where the server forgot to send the intermediate certificate, and a self-signed certificate that no CA vouches for. Incomplete chains are sneaky β€” browsers often repair them silently while curl, Java, and mobile apps fail hard, so a site can look fine in Chrome yet break your API clients.

What are Subject Alternative Names and why is CN deprecated?

SANs are the definitive list of hostnames a certificate covers β€” example.com, www.example.com, a wildcard like *.example.com, or even IP addresses. The older Common Name field is ignored for hostname validation by every modern browser (Chrome dropped it back in version 58), so a certificate whose CN matches but whose SAN list does not will still fail. When debugging a mismatch, decode the certificate here and read the SAN section, not the subject line.

How long are SSL certificates valid?

Publicly trusted certificates are capped at 398 days, and the industry is steadily shortening that ceiling. Let's Encrypt issues 90-day certificates by design, which forces the right habit: automated renewal with certbot or acme.sh instead of calendar reminders. A quick expiry check is openssl x509 -noout -enddate against a saved PEM, or the dates command this tool generates for any live domain. Alert at 30 days out, not 3.

Is it safe to paste my certificate here?

Yes β€” a certificate is public by definition; the server hands it to every client that connects, and Certificate Transparency logs publish every issued certificate anyway. The decoder also never transmits what you paste; parsing happens locally in your browser. The one rule that always applies: never paste a private key (BEGIN PRIVATE KEY) into any website, including this one. This tool only needs the certificate block to decode it.