Logo Website Checker
SSL

SSL Certificate Lookup

Free No sign-up Port 443

Connect to a hostname on port 443 and inspect the TLS certificate it presents. See whether the certificate is valid and trusted, when it expires, which names it covers, and the full certificate chain.

Results reflect what our server sees when connecting with SNI for your hostname. Load-balanced sites may present different certificates on different nodes.

Look up SSL certificate

Enter a domain or hostname. You can paste a full HTTPS URL - we extract the hostname automatically. Only public hostnames on port 443 are allowed.

Free to use. We do not store the hostnames you look up. To test HTTP response and redirects, use our website checker .

What is an SSL certificate?

An SSL/TLS certificate is a digital document that proves a server's identity and enables encrypted HTTPS connections. When you visit https://example.com, the server presents its certificate during the TLS handshake before any page content is sent.

Certificates are issued by certificate authorities (CAs) such as Let's Encrypt, DigiCert, or Cloudflare. They list which hostnames the certificate is valid for, when it expires, and who issued it. Browsers reject connections when the certificate is expired, untrusted, or does not match the hostname you requested.

Looking up a certificate does not access private server data. It is the same public handshake every HTTPS client performs.

What this tool does

Enter a hostname and we connect to port 443 with SNI (Server Name Indication) so the correct certificate is returned on shared IPs. We parse the leaf certificate and chain, then show validity, issuer, SAN names, fingerprints, and TLS details.

We check whether the certificate matches your hostname, whether it is within its validity period, and whether it chains to a trusted public CA on our server. A separate connection with strict verification sets the trusted flag.

This is a point-in-time snapshot from our network. If you just renewed a certificate, CDN edges or load balancers may still serve an older one until deployment completes. For hostname mismatch fixes, see our SSL hostname mismatch guide .

How to read the results

Expiry and validity

Valid from and Valid until show the certificate's active window in UTC. Days until expiry helps you plan renewals. Browsers typically reject certificates after Valid until, even if DNS and HTTP are otherwise correct.

Subject Alternative Names (SANs)

SANs list every DNS name the certificate covers. A cert for www.example.com alone will fail on example.com (apex). Wildcards like *.example.com cover one level of subdomains (api.example.com) but not the apex domain.

Certificate chain

The chain shows the leaf certificate plus intermediates up toward a root CA. Missing or wrong intermediate certificates can cause trust errors in some clients even when the leaf cert is correct.

Trusted vs hostname match

Hostname match means the name you entered appears in the CN or SAN list. Trusted means our server verified the chain against public CAs. A certificate can match the hostname but still be untrusted (incomplete chain, wrong issuer) or self-signed.

When to use an SSL lookup

Use this tool when you need certificate details, not just whether a page loads:

  • Before a certificate expires - confirm the live cert's Valid until date and set renewal reminders.
  • After installing a new certificate - verify SANs include every hostname you serve (apex, www, API subdomains).
  • When browsers show certificate warnings - check for expiry, mismatch, or untrusted chain.
  • Before opening a support ticket - paste the issuer, SAN list, and expiry from the copy summary.
  • When migrating to a new host or CDN - confirm the edge presents the expected issuer and chain.

If the certificate looks correct but visitors still see errors, check mixed content, HSTS, or CDN caching. Use the website checker to confirm HTTP status and redirects.

SSL lookup vs website checker

Website checker

Answers "Is the site online?" with HTTP status, redirects, response time, and a simple secure/insecure SSL result. Best for uptime and reachability.

SSL lookup

Answers "What certificate is presented?" with expiry, SANs, issuer, chain, fingerprints, and TLS version. Best for certificate audits and support tickets.

DNS lookup

Shows published DNS records (A, MX, TXT, etc.). DNS can be correct while HTTPS fails due to certificate problems - use both tools together.

Frequently asked questions

Is it safe to look up someone else's certificate?

Yes. Certificates are sent in plaintext during the TLS handshake to any client that connects. This tool performs the same public handshake and displays data your browser would also receive.

Why does the result differ from what I see in my browser?

You may hit a different CDN edge or load balancer than our server. Your browser may also cache HSTS or use a different DNS resolver. Compare SANs and expiry - small differences in TLS version are normal.

Can I check custom ports?

Not currently. This tool connects to port 443 only, which is the standard HTTPS port for public websites.

What does "trusted" mean in the results?

It means our server could verify the certificate chain against common system trust stores. A "No" result often means a missing intermediate, a self-signed certificate, or a corporate proxy - not necessarily that your visitors see the same warning.

Do you store the hostnames I look up?

We do not intentionally store looked-up hostnames in a database. Standard server logs may record requests as most web servers do. See our Privacy Policy for details.

Related tools & guides