Does the checker validate the chain?

Yes. The trust result reflects Node's bundled CA store. Untrusted certs are still inspected so you can debug self-signed or staging environments — the trust verdict and the cert details are independent.

Can I check non-HTTPS ports?

Yes — pass the port (e.g., 8443 for an alternate HTTPS port, 993 for IMAPS, 465 for SMTPS). Anything that does an immediate TLS handshake (no STARTTLS) works.

Why does the SAN list matter?

The hostname must match a SAN entry for browsers to trust the cert. If you added a new subdomain but forgot to include it in the SAN list at reissue, requests to that subdomain will fail in browsers.

Why isn't the cert trusted?

Common reasons: it's self-signed, the chain is incomplete (the server isn't sending intermediates), the hostname doesn't match a SAN, or it's expired. The authorization error in the response will tell you which.

Developer Tools

SSL Certificate Checker

Open a TLS connection to any domain and inspect the certificate: issuer, expiry, SAN list, chain, and cipher.

Securely processed on our servers

Files are deleted automatically within 1 hour.

About SSL Certificate Checker

SSL Certificate Checker opens a real TLS handshake to a domain on port 443 (or any port you choose) and reports back exactly what the server presented: the leaf certificate, its issuer, the validity window, the days remaining, the Subject Alternative Names list, the full chain back to the root, the negotiated TLS protocol version, and the negotiated cipher suite. The check runs server-side because browsers don't expose the raw certificate to JavaScript. We use Node's TLS stack with rejectUnauthorized turned off so we can show you details for self-signed and untrusted certs too — the trust verdict is reported separately so you can see "yes, the cert is valid, but not trusted by Node's CA store" as distinct facts. The expiry badge turns red below 14 days remaining and amber below 30, so a glance tells you whether something needs attention. The SAN list is the source of truth for which hostnames the cert actually covers — easy to forget to add a new subdomain when re-issuing. Common use cases: confirming a freshly-renewed cert is actually serving; auditing the SAN list before re-issue; checking a self-signed cert in a staging environment; spotting weak cipher suites; verifying TLS 1.3 is negotiating where you expect.

How SSL Certificate Checker works

Enter a domain (port defaults to 443).
We open a TLS socket with the hostname as SNI and ALPN advertising h2 and http/1.1.
Once the handshake completes we read the peer certificate and walk the chain.
Trust is checked against Node's bundled CA store; failures don't block — they're just reported.
The negotiated protocol version and cipher suite are returned alongside the cert.

When to use SSL Certificate Checker

Verify a renewed cert is actually being served (browsers cache, this doesn't).
Audit the SAN list to make sure every subdomain is covered before reissue.
Inspect a self-signed cert on a staging or internal host.
Check that TLS 1.3 is negotiating where it should be.
Spot weak cipher suites your terminator is still allowing.
Confirm a cert was issued by the CA you expect (Let's Encrypt, ZeroSSL, your internal PKI).

Why choose Utilix SSL Certificate Checker

Trust verdict is reported separately from cert details — you can inspect untrusted certs without errors.
Full SAN list and chain, not just the leaf.
Negotiated protocol and cipher reported alongside the cert.
Free, no signup, no rate limits beyond fair use.