logo
GeekFormat

SSL Certificate Checker

Certificate Probe

Initiate TLS handshake directly from the server, read certificate, negotiate protocol and remaining validity.

Check SSL/TLS certificates online. Enter a domain to view certificate validity, domain matching, days remaining, TLS version, cipher suites, and SAN list. Backend-initiated handshake with no CORS issues.

Related

Use Cases

  • Quickly verify whether HTTPS is working properly before website launch or after certificate renewal
  • Certificate expiration alerts: Check days remaining regularly to avoid unexpected expiration causing access interruption
  • Troubleshoot browser HTTPS errors: Locate whether it's expiration, name mismatch, or certificate chain issue
  • Verify edge node certificates are correctly loaded after CDN/reverse proxy deployment
  • Check whether TLS protocol versions and cipher suites meet security compliance requirements
  • Verify SAN list covers all target domains after multi-domain certificate deployment

Features

  • Backend TLS handshake: Initiates TLS connection directly from server, no browser CORS restrictions, can check any public domain
  • Instant authorization status judgment: Certificate validity, domain matching, and authorization error information at a glance
  • Days remaining color alerts: >30 days green, 7-30 days yellow, <7 days red for quick renewal timing judgment
  • Core configuration overview: TLS protocol version, Cipher suite, ALPN protocol negotiation results directly visible
  • Complete SAN list display: All Subject Alternative Names listed as tags, expandable to view all if more than 8
  • Dual fingerprints one-click copy: SHA-1 and SHA-256 fingerprints displayed separately with one-click copy support
  • Complete JSON export: Expand to view full certificate JSON structure, supports one-click copy for deep troubleshooting and archiving

How to Use

  1. Enter the domain to check (e.g., geekformat.com, without https:// prefix)
  2. Click the 'Check Certificate' button and wait 1-3 seconds for TLS handshake results
  3. First check authorization status (green valid/red invalid) and days remaining color
  4. Check whether TLS version, Cipher, and ALPN negotiation meet expectations
  5. View Subject/Issuer, validity period, SAN list to confirm certificate information is correct
  6. For deep troubleshooting, expand JSON details to view full certificate structure and copy for archiving

FAQ

Why do I need to check SSL certificates?

Certificate expiration, domain mismatches, and configuration errors are the most common issues for HTTPS websites. After expiration, browsers display an 'Not secure' warning causing visitor loss, and Google search rankings are also affected. Regular checking and early renewal are basic DevOps tasks to ensure HTTPS operates normally.

What's the difference between this checker and SSL Labs?

SSL Labs performs deep scoring (comprehensive testing including protocols, ciphers, vulnerabilities, taking about 2 minutes), while this tool performs quick basic checks (returning results in 1-3 seconds), covering core information like certificate validity, expiration, TLS version, cipher suites, and SAN list, suitable for quick pre-launch validation, renewal confirmation, and troubleshooting.

Why can browsers access directly but this tool fails to check?

Possible reasons: 1) Website blocks overseas IPs (check servers are overseas); 2) Server has SNI differentiation but incomplete configuration; 3) Uses enterprise intranet self-signed certificate; 4) Firewall blocks check nodes. Check failure does not mean certificate has issues; judge based on specific error messages.

What's the difference between TLS 1.2 and TLS 1.3?

TLS 1.3 (2018, RFC 8446) is the latest version, with handshake speed improved from TLS 1.2's 2-RTT to 1-RTT or even 0-RTT, removing insecure algorithms like RSA key exchange, RC4, and SHA-1, enabling Forward Secrecy by default, with significant improvements in security and performance. New deployments should prioritize TLS 1.3 support while retaining TLS 1.2 for older client compatibility.

How many days before certificate expiration should I renew?

Recommend starting renewal preparation 30 days before expiration, completing deployment at least 7 days early. The tool uses color alerts: >30 days green (normal), 7-30 days yellow (should renew), <7 days red (urgent). Let's Encrypt certificates have 90-day validity; recommend configuring automatic renewal.

Let's Encrypt

What is a SAN list and why is it important?

SAN (Subject Alternative Name) is a list of domains/IPs declared allowed for use in the certificate. Modern browsers (Chrome 58+) no longer trust the Common Name (CN) field and only check SAN. If the accessed domain is not in the SAN list, browsers will report a 'name mismatch' error. One certificate can cover multiple domains via SAN (e.g., example.com, www.example.com, api.example.com).

Why check certificate fingerprints?

Certificate fingerprints (SHA-1/SHA-256) are hash values of certificate content, usable for HPKP (deprecated), Certificate Pinning, and manual verification that deployed certificates match expectations—for example, confirming whether CDN has correctly loaded new certificates, or verifying certificate consistency across multiple servers. Note: SHA-1 fingerprints are for identification only and should not be used for security verification.

What is SSL/TLS Certificate Checking?

SSL/TLS certificate checking is the process of initiating a TLS handshake from the client to obtain and analyze certificate information returned by the target server, thereby determining whether HTTPS configuration is correct. Core check items include: whether the certificate is within its validity period, whether the accessed domain is in the certificate's allowed list (SAN matching), whether the certificate chain is complete and trusted, whether the TLS protocol version and cipher suites used are secure, etc.

**Why is certificate checking so important?** SSL certificates are the trust foundation of HTTPS. Once certificate issues occur (most commonly expiration), browsers directly block access, displaying a red warning page 'Your connection is not private', causing direct damage to website traffic, conversion rates, SEO rankings, and brand trust. According to monitoring, certificate expiration is the most common cause of HTTPS failures, accounting for over 40% of all HTTPS incidents.

**How is this different from accessing directly in a browser?** Browser access may have deviations due to cache, HSTS, enterprise proxies, client certificates, etc.; while certificate checker tools initiate standard TLS handshakes from independent nodes, returning objective, standardized certificate information suitable for DevOps verification scenarios. This tool initiates TLS handshakes directly from backend servers, **with no browser CORS restrictions**, and can check any publicly reachable HTTPS domain.

**Core information checked by this tool**: Certificate authorization status (valid or not), specific authorizationError error messages, TLS protocol version (TLS 1.2/1.3), negotiated cipher suite (Cipher), ALPN protocol negotiation results (h2/http/1.1), certificate issuer (Subject/Issuer), validity period start and end dates (validFrom/validTo), days remaining (with color alerts), SAN Subject Alternative Name list, SHA-1/SHA-256 fingerprints, response time, and complete JSON details.

Check results typically return in 1-3 seconds, suitable for scenarios like quick pre-launch validation, renewal confirmation, and troubleshooting. For deep scoring (such as SSL Labs A+-F rating including renegotiation, vulnerability testing, protocol support, etc.), recommend using together with SSL Labs Server Test.

术语表

SSL/TLS
SSL (Secure Sockets Layer) is an encryption protocol developed by Netscape in the 1990s, later standardized by IETF and renamed TLS (Transport Layer Security). SSL 3.0 and earlier versions are all deprecated; TLS 1.2 and TLS 1.3 are currently in actual use, though the term 'SSL certificate' is still commonly used by convention.
HTTPS
HTTP over TLS, adding a TLS encryption layer between HTTP and TCP to provide data encryption, server authentication, and content integrity protection. Google search gives ranking weight to HTTPS sites, and Chrome marks non-HTTPS sites as 'Not secure'.
SAN (Subject Alternative Name)
X.509 certificate extension field listing all domain names and IP addresses allowed for use by this certificate. Modern browsers (Chrome 58+) only check SAN and no longer look at Common Name (CN). One SAN certificate can protect multiple domains simultaneously.
Certificate Chain
The trust chain from leaf certificate (server certificate) to intermediate CA certificate, then to root CA certificate. The server must send leaf certificate + intermediate certificate; browsers verify chain integrity via pre-installed root certificates. Missing intermediate certificates is a common configuration error.
ALPN (Application-Layer Protocol Negotiation)
TLS extension allowing negotiation of application-layer protocols during TLS handshake (e.g., h2 for HTTP/2, http/1.1 for HTTP/1.1, h3 for HTTP/3). After handshake completion, directly use negotiated protocol without additional round trips.
Cipher Suite
A set of encryption algorithm combinations negotiated during TLS handshake, including key exchange algorithm, authentication algorithm, symmetric encryption algorithm, and hash algorithm, such as TLS_AES_256_GCM_SHA384. Secure configurations should prioritize AEAD suites (e.g., GCM, ChaCha20-Poly1305).
Let's Encrypt
A free, automated, open certificate authority (CA) operated by ISRG, officially launched in 2016, has issued over 3 billion certificates, greatly lowering HTTPS deployment barriers. Certificates have 90-day validity, with automatic renewal via ACME protocol.Let's Encrypt Official Website
Fingerprint
Hash value calculated from certificate DER-encoded content, commonly SHA-1 and SHA-256. Fingerprints uniquely identify a certificate, usable for certificate pinning and multi-node consistency verification. SHA-1 is no longer recommended for security purposes due to collision risks but remains widely used for identification.
SNI (Server Name Indication)
TLS extension where client sends target domain name during handshake, enabling servers on the same IP to deploy multiple certificates for different domains (similar to HTTP Host header). SNI is the foundation for modern virtual host HTTPS; servers without SNI configured return default certificates, which may cause name mismatch errors.
Forward Secrecy / PFS
A security property: even if server private key is compromised later, previously recorded encrypted session traffic cannot be decrypted. Implemented via ephemeral key exchange algorithms like ECDHE, it is mandatory for TLS 1.3 and a recommended standard for modern security configurations.

TLS Protocol Version History and Status

Protocol VersionRelease YearCurrent StatusNotes
SSL 1.0-3.01995-1996❌ Deprecated/InsecureContains critical vulnerabilities like POODLE; disabled by all modern browsers
TLS 1.01999❌ DeprecatedBEAST, CRIME vulnerabilities; prohibited since PCI DSS 2018
TLS 1.12006❌ DeprecatedFormally deprecated in RFC 8996; Chrome/Firefox removed support in 2020
TLS 1.22008⚠️ Widely Supported (Transition)Currently most widely deployed with best compatibility, but has some weak cipher suite risks
TLS 1.32018 (RFC 8446)✅ RecommendedFaster handshake (1-RTT/0-RTT), weak algorithms removed, preferred by modern browsers

Certificate Expiration Color Alerts and Recommendations

Days RemainingStatus ColorRecommended Action
>30 days🟢 Green (Normal)No action needed; check periodically
7-30 days🟡 Yellow (Warning)Start renewal process as soon as possible to ensure replacement before expiration
<7 days🔴 Red (Urgent)Renew immediately; browsers will block access after expiration
0 days/Expired🔴 Red (Expired)Certificate is invalid; users will see security warnings and must be addressed immediately

Common SSL Error Troubleshooting

Error TypeCommon CausesSolution Direction
Certificate expiredCertificate not renewed past validTo dateRenew and deploy new certificate promptly
Name mismatchCurrent access domain not in certificate SAN listReissue certificate including target domain, or check CDN origin configuration
Incomplete chainServer not configured with intermediate certificates correctlyDeploy intermediate certificate combined with leaf certificate
Self-signed certificateCertificate issued by private CA, not publicly trustedUse publicly trusted CA like Let's Encrypt to issue certificate
Untrusted issuerCA root certificate not in browser trust storeReplace with certificate issued by trusted CA

Authoritative References