SSL Certificate Checker

We open a live TLS connection to the host on port 443 and capture the certificate it presents. No third-party API — it's just your server talking to theirs.

If you're on Let's Encrypt, renewal is automatic (check your certbot logs). Commercial CAs email you before expiry. Either way, monitor expiry — a lapsed cert means every visitor gets a scary browser warning.

Subject Alternative Name — the list of hostnames the certificate is valid for. Modern certs can cover a main domain and wildcard like *.example.com. Check that your cert covers both www and non-www variants.

The latest TLS protocol version (2018). Faster handshakes, better security than 1.2. If your negotiated protocol is 1.0 or 1.1, upgrade — those are deprecated and browsers warn on them.

Your leaf cert + zero or more intermediates + a root. A correctly-configured server sends the leaf plus all intermediates. If the chain is length 1, you may be missing intermediates — some clients will reject the cert.