SSL Checker
Inspect a host's TLS certificate chain, expiry, trust, protocol, and hostname match.
Paste a hostname, IP, or URL. Paths such as example.com/about are stripped automatically.
About the SSL Checker
The SSL Checker connects to a hostname on port 443 (or a port you choose) and reads the TLS certificate the server presents. You get the subject, issuer, validity dates, days until expiry, fingerprints, subject alternative names, the negotiated protocol and cipher, whether the hostname matches the certificate, and whether the server sent a complete chain.
Unlike paste-and-decode tools, this performs a live handshake against the real endpoint. That is what you need when verifying a deployment, chasing an expiry warning, or confirming a new certificate is being served after a renewal.
The check runs on our server because browsers cannot open arbitrary TLS sockets to read certificate details the way a dedicated checker can. The hostname you enter is sent to our server, which connects outbound to that host. We do not store the hostname or the result. Trust evaluation uses the server trust store: authorized means the chain validates against system CAs; rejectUnauthorized is still relaxed enough to read mis-issued or expired certs.
For pasted PEM certificates or CSRs that never leave your machine, use the SSL Decoder in this same category. For matching a private key to a cert, use Key Matcher.
Reach developers and designers who use these tools every day. Privacy-first, no trackers.
Frequently asked questions
What does "Not trusted" mean?
The certificate chain did not validate against the system trust store on our server. Common causes are a self-signed certificate, an expired cert, a hostname mismatch, or a missing intermediate. The cert is still read and shown so you can inspect it.
Does my hostname or URL get stored?
No. Our server connects to the host you specify, returns the result to your browser, and does not persist the query.
Can I check a port other than 443?
Yes. Set the port field to any value between 1 and 65535. You can also paste an https:// URL and the hostname (and port if present) will be parsed automatically.
Why does "Incomplete chain" appear?
The server sent only its leaf certificate without the intermediate CAs needed to build a path to a trusted root. Browsers may still work if they cache the intermediate, but you should install the full chain on the server.
How is this different from the SSL Decoder?
The SSL Checker performs a live TLS connection to a remote host. The SSL Decoder parses PEM you paste locally in your browser and never uploads it. Use the checker for live endpoints; use the decoder for files and copied PEM blocks.