Free Tool

Free SSL Certificate Checker

Check SSL certificate validity, issuer, expiry, and SAN list for any domain. Uses public Certificate Transparency logs - no scanning, no API key, no signup. Free, instant, comprehensive.

Queries Certificate Transparency logs via crt.sh. Returns the most recent currently-valid cert. Cached 1h.

No signup required
Free forever
GDPR compliant
Powered by U2L

Quick Answer

An SSL certificate checker reports whether a domain has a valid public certificate, who issued it, when it expires, and which subdomains it covers. The U2L SSL Checker queries Certificate Transparency (CT) logs via crt.sh - the same database browsers use to verify cert legitimacy. Returns the most recent currently-valid certificate plus a count of historical certs for the domain.

Quick Facts

  • Queries public Certificate Transparency (CT) logs via crt.sh. No live TLS handshake; CT logs cover 99%+ of public certificates.
  • Returns the issuer (Let's Encrypt, DigiCert, Sectigo, Google Trust, etc.), validity dates, days until expiry, and the full SAN (Subject Alternative Names) list.
  • Detects expired certs, soon-to-expire certs (under 30 days), and overprovisioned certs (excessive SANs that hint at misconfiguration).
  • CT-log mandate: since 2018, Chrome, Firefox, Safari, and Edge require CT submission for new public certs. So any browser-trusted cert appears here.
  • Cached at the U2L edge for 1 hour. Repeat lookups return instantly without re-querying crt.sh.
  • Free, no API key. For deeper analysis (cert chain validation, OCSP, vulnerability scan), use SSL Labs or testssl.sh.
  • Useful for: pre-launch QA, expiry monitoring, brand-protection (rogue certs), DNS migration verification, security audits.

How to check SSL certificate info

Two steps. Domain in, cert details out.

  1. 1

    Enter the domain

    Type the domain (or subdomain) into the search box. The tool strips https:// and trailing /paths automatically.

  2. 2

    Review the cert details

    Issuer, validity dates, days until expiry, and SAN list appear. Look for upcoming expiry warnings (under 30 days) and unexpected issuer changes.

  3. 3

    Optional: drill into history

    The tool reports the count of all CT-logged certs for the domain. Click through to crt.sh for the full historical view.

What is a SSL Certificate Checker?

SSL Certificate Checker is a tool that reports SSL certificate metadata for any domain. Instead of opening a browser, clicking the lock icon, and reading the cert dialog, you get the same info as a clean JSON-backed page. Behind the scenes, the U2L tool queries Certificate Transparency (CT) logs - the public, mandatory cert database that browsers use to verify cert legitimacy.

Certificate Transparency was launched by Google in 2013 as a defense against rogue certificate issuance. Every certificate authority (CA) is required to submit issued certs to public, append-only logs. Chrome started requiring CT inclusion for new EV certs in 2015 and for all certs in 2018; Firefox, Safari, and Edge followed. So any cert your browser trusts appears in CT logs - and so any cert appears in the U2L tool.

The U2L tool queries crt.sh, a free public CT-log search engine maintained by Sectigo (formerly Comodo CA) since 2013. crt.sh aggregates CT submissions from all major logs (Argon, Xenon, Nimbus, Yeti) and provides a JSON API. The U2L wrapper normalizes the response into a clean per-cert view: issuer, validity dates, SAN list, serial number.

What this tool is NOT: a live TLS handshake check. We don't dial port 443 on your domain and inspect what cert it serves right now. That's a different (and more invasive) check provided by SSL Labs, testssl.sh, and similar tools. CT-log lookup is faster and covers most use cases - you can see the latest issued cert without bothering the origin server.

How does a SSL Certificate Checker work?

When you submit a domain, the U2L API normalizes the input (strips https://, www., trailing path), validates the format, then calls https://crt.sh/?q=DOMAIN&output=json. crt.sh returns an array of cert records - sometimes hundreds for popular domains - each with issuer, validity dates, common name, SANs, and a serial number.

The U2L wrapper filters to currently-valid certs (not_before <= now <= not_after), sorts by issuance date descending, and returns the most recently issued. This is almost always the cert your browser would see if it visited the domain right now (sometimes wrong by a few minutes during an active rotation, but rarely meaningfully).

The full SAN list is parsed from the raw cert. Wildcard SANs (*.example.com) are common; the tool surfaces them along with explicit subdomains. Long SAN lists (50+ entries) often indicate misconfigured shared certs or hosting platforms that put many tenants on one cert.

Results are cached at the Cloudflare edge for 1 hour with public Cache-Control headers. Repeat queries for the same domain return instantly. crt.sh is free but can be slow during peak hours; the cache layer protects users from those slow paths and keeps response times consistent.

Use Cases

How marketers, businesses, and developers use ssl certificate checker.

Pre-launch SSL QA

Before launching a new site, verify the cert is issued, valid, and covers the right SANs. Catch issuer typos and missing wildcards before users hit the cert error.

Expiry monitoring

Quarterly check on production domains. Catch certs expiring in the next 30 days before they break customer logins. Use as a fallback when your monitoring stack misses one.

Brand-protection (rogue cert detection)

Look for unexpected certs issued for your domain. Rogue certs from a different issuer than your standard CA can indicate a compromised account or misconfigured DNS.

DNS migration verification

After moving a domain to a new hosting provider, confirm the new cert is issued and live. CT logs show the cert immediately after issuance, before DNS fully propagates.

Subdomain audit

Check which subdomains are covered by your wildcard cert. SAN list reveals exactly what's protected; missing entries signal DNS that's not yet behind your cert.

Security audit

Compliance audits often require evidence of cert validity. The CT-log lookup is publicly verifiable evidence that doesn't require server access.

Vendor due diligence

Evaluating a SaaS vendor? Check their cert. Issued by a reputable CA? Recent issue date? SAN list reasonable? All signal good operational hygiene.

M&A technical due diligence

Acquisition target's domains - run cert checks on the full portfolio. Identifies expired or risky certs before close.

DNS migration planning

When changing CDN or hosting providers, confirm the existing cert (or new cert) covers all required SANs. Avoid mid-migration surprises.

Detecting unauthorized cert issuance

Periodic CT-log audits catch certs issued for your domains by unauthorized parties. Use CAA DNS records to prevent this; CT-log lookup confirms whether prevention is working.

SSL Certificate Checker vs Alternatives

Side-by-side feature and pricing comparison with the top alternatives.

FeatureU2LSSL Labstestssl.shcrt.sh direct
Free unlimited lookupsSelf-host
CT-log query (issuer, dates, SANs)MixedMixed
Live TLS handshake check
Cert chain + OCSP validation
Vulnerability scan (Heartbleed, etc.)
Browser-only (no install)
Edge-cached (sub-second response)1h
JSON / API outputPaid tier

SSL Certificate Checker vs SSL Labs (ssllabs.com)

SSL Labs is the gold standard for live SSL/TLS analysis. Live TLS handshake, full cert chain validation, OCSP status, vulnerability scan (Heartbleed, POODLE, ROBOT), and a letter grade (A+, B, F). Free, no signup; scans take 30-90 seconds.

U2L's tool is faster and simpler: CT-log query for cert metadata only. For 'when does my cert expire?', U2L is faster. For 'is my TLS configuration secure?', SSL Labs is mandatory. Both are useful for different jobs.

SSL Certificate Checker vs testssl.sh

testssl.sh is a comprehensive command-line TLS scanner. Self-hosted, runs from your own machine, deep analysis (cipher suites, vulnerability checks, cert pinning). Open source, MIT license.

U2L's web tool is a quick CT-log lookup, no install required. For deep server-side TLS auditing in CI/CD, testssl.sh remains the right choice. For 'check my cert real quick', U2L is faster.

Best Practices

Set up automated expiry monitoring

CT-log lookup is for ad-hoc checks. For production, use a monitoring stack that alerts on certs under 30 days from expiry. Check Pingdom, UptimeRobot, or Cloudflare's cert manager.

Use CAA DNS records to limit issuance

CAA records (Certificate Authority Authorization) restrict which CAs can issue certs for your domain. Without CAA, any CA can issue certs for any domain. CAA + CT-log monitoring catches unauthorized issuance.

Verify SAN list covers all subdomains

After issuance, run the SSL checker and confirm every subdomain you serve traffic on appears in the SAN list. Missing entries cause cert errors for affected subdomains.

Audit cert issuer changes

If your standard CA is Let's Encrypt and a Sectigo cert appears for your domain, investigate. Either someone in your org bought a different cert, or the CA was compromised.

Re-check after CDN or hosting migrations

After moving hosting providers, the cert may change. CT-log lookup confirms the new cert is issued and active before declaring migration complete.

Don't trust 'no cert found' as a positive signal

If the tool returns 'no cert in CT logs', it doesn't mean your domain has no cert. CT-log submission is mandatory for browser-trusted certs only; private/internal certs aren't logged.

Cross-reference with SSL Labs for production audits

U2L gives you the cert metadata. SSL Labs gives you the full TLS configuration grade. Use both: U2L for speed, SSL Labs for depth.

Be aware of the 1-hour cache

Results are cached for 1 hour. If you just renewed a cert and the U2L tool shows the old one, wait a minute (CT submission is fast but not instant). Re-check after 5 minutes for the new issuance.

Common Mistakes to Avoid

Confusing CT-log lookup with live TLS check

U2L queries CT logs - the historical record of cert issuance. It does NOT dial port 443 and inspect what cert is being served right now. If your origin is misconfigured but the cert is logged, U2L still shows the cert as 'valid' even if browsers can't reach it.

Treating CT-log gaps as 'no cert'

Domains with no public cert (internal services, private CAs) won't appear in CT logs. The tool returns 'no certificate found' but that's not the same as 'has no cert' - it's 'has no public cert'.

Ignoring upcoming expiry

30 days to expiry isn't a panic - but it is a planning window. Renewals via Let's Encrypt are auto and reliable; manual CA renewals (Sectigo, DigiCert paid tiers) need a human in the loop.

Trusting the wrong cert during rotation

During active cert rotation, two certs may be valid simultaneously. CT-log lookup returns the most recently issued; that's almost always right but can be wrong by minutes during the cutover.

Trusting the SAN list as exhaustive

Each cert covers a specific SAN list. Multi-cert deployments (one cert per subdomain) don't appear together; query each subdomain separately to see its cert.

Using CT-log lookup for vulnerability assessment

CT logs don't tell you if your TLS configuration is secure (cipher suites, protocol versions, OCSP stapling). For TLS health, run SSL Labs.

Querying private/internal domain names

Internal domains (intranet.company.local, dev.company.internal) typically use private CAs that don't submit to CT logs. The tool returns no results - that's expected.

Technical Specifications

SourceCertificate Transparency logs via crt.sh
Coverage99%+ of browser-trusted public certs (CT-mandatory since 2018)
Fields returnedCommon Name, Issuer, Not Before, Not After, days until expiry, SANs, serial number
Cache TTL1 hour at the Cloudflare edge
Lookup timeout12 seconds (crt.sh can be slow for popular domains)
Punycode (IDN) supportYes - input as xn-- form for canonical lookup
Live TLS handshakeNo - use SSL Labs or testssl.sh for that
Vulnerability scanNo - use SSL Labs for Heartbleed, POODLE, ROBOT, etc.
API endpointGET /api/tools/ssl-checker?domain=example.com

Industry-Specific Use Cases

DevOps and SRE

Production cert expiry monitoring, post-deploy verification, automated audit scripts via the API.

Security and compliance

SOC 2 / ISO 27001 evidence collection, brand-protection (rogue cert detection), CA provider audit.

Web developers and freelancers

Pre-launch QA on client domains, post-deploy verification, troubleshooting cert errors.

M&A and due diligence

Domain portfolio audit during acquisition. Identify expired or risky certs before close.

Brand protection

Periodic CT-log audits for unexpected certs issued for your domains. Combine with CAA DNS for prevention.

SaaS providers and customer success

Customer-domain cert health checks, onboarding QA for white-label customers, troubleshooting customer reports.

Frequently Asked Questions

What's Certificate Transparency?

Certificate Transparency (CT) is a public, append-only log of all certs issued by participating CAs. Required by Chrome, Firefox, Safari, and Edge for new public certs since 2018. CT logs let anyone verify which certs exist for a domain.

Is this a live SSL check or just a database lookup?

Database lookup. The tool queries crt.sh (the most-used public CT-log search engine) for cert records. It does NOT dial port 443 on your domain to inspect the live cert. For live TLS checks, use SSL Labs.

Why doesn't my internal domain show any certs?

Internal domains (intranet.company.local, dev.company.internal) typically use private CAs that don't submit to CT logs. CT-log lookup only sees public, browser-trusted certs.

How fresh is the data?

Real-time as of crt.sh's last sync. Most CAs submit to CT logs within minutes of issuance; Let's Encrypt is sub-second. crt.sh ingests submissions continuously. Edge cache adds up to 1 hour.

Why are there so many certs for my domain?

Each renewal creates a new cert. Let's Encrypt renews every 90 days; commercial CAs renew yearly. A 5-year-old domain may have 50+ certs in CT logs. The tool returns only the most recently issued currently-valid one.

What does 'days until expiry' mean exactly?

Calendar days from now until the cert's not_after date. Negative values mean the cert is expired (which the tool filters out unless the only cert in CT logs is expired).

What's a SAN?

Subject Alternative Name - a field in the cert listing additional hostnames the cert is valid for. Modern certs use SANs instead of multi-cert deployments. A typical cert covers example.com + www.example.com plus optionally wildcards.

Can I check a specific subdomain?

Yes. Type the subdomain (blog.example.com). The tool queries crt.sh for that exact name. Subdomain queries can be slower than apex queries for popular domains.

Does this work for internal / staging domains?

Only if they have publicly-issued certs (Let's Encrypt for internal staging is common). Self-signed or private-CA certs don't appear in CT logs and won't be found.

Can I check certs for an IP address?

No. CT logs are indexed by hostname, not IP. To check certs for an IP, use SSL Labs or testssl.sh which connect directly to the IP.

Will this catch rogue certs issued for my domain?

Yes if the rogue cert is from a CT-participating CA. Periodic CT-log lookups are a standard brand-protection tactic. Pair with CAA DNS records to prevent rogue issuance in the first place.

How do I detect when a cert is about to expire?

Run this tool periodically (or use a monitoring service). The 'days until expiry' field shows the countdown. Most teams alert at 30 days; renew well before then if your CA requires manual processing.

What's an issuer?

The CA that issued the cert. Common issuers: Let's Encrypt (R3, R10, E1, E5), Google Trust Services (GTS), DigiCert, Sectigo, ZeroSSL, Cloudflare (for managed certs). Unexpected issuer changes warrant investigation.

Why does my just-renewed cert not show up?

CT-log submission is fast but not instant. Most CAs submit within minutes; Let's Encrypt submits before issuance. Wait 5 minutes and re-check; if still missing, the renewal may not have completed.

Does the tool support IDN / punycode domains?

Yes. Input the punycode form (xn--caf-dma.com) for canonical lookup. The Unicode form (café.com) also works; the tool converts internally.

Is there an API I can call programmatically?

Yes. GET https://u2l.ai/api/tools/ssl-checker?domain=example.com returns JSON. Cached for 1 hour. No auth required. Be polite - don't loop more than 1 request per second per domain.

Should I use this or SSL Labs?

Both for different jobs. U2L for fast cert metadata (when does my cert expire? who issued it?). SSL Labs for full TLS health (cipher suites, vulnerabilities, configuration grade). They complement each other.

What happens if crt.sh is down?

The tool returns an error. crt.sh is run by Sectigo and has high uptime; outages are rare and usually short. Try again in a few minutes if you hit one.

Related Free Tools

Whois Lookup

Look up registrar, owner, creation date, expiry, and DNS for any domain. Free Whois data, no API key.

Free QR Code API

REST API for generating SVG and GIF QR codes. WiFi, vCard, URL, and text. Free, no API key, edge-cached.

DNS / CNAME Checker

Look up A, AAAA, CNAME, MX, TXT, NS records for any domain. Verify global DNS propagation in seconds.

HTTP Header Inspector

Inspect HTTP request and response headers for any URL. Cache, security, CORS, and server details.

URL Shortener Speed Test

Compare redirect response times across 10+ URL shorteners. Real measurements in your browser.

Deep Link Tester

Test iOS Universal Links and Android App Links. Validate scheme, host, and fallback behavior.

See all 50 free tools

Key Terms

SSL / TLS
Secure Sockets Layer / Transport Layer Security. Cryptographic protocols for encrypting HTTPS traffic. SSL is the older name; TLS 1.2 / 1.3 is modern. Casually called 'SSL' even though TLS is the actual protocol.
Certificate Transparency (CT)
Public, append-only log of all certs issued by participating CAs. Required for browser trust since 2018. CT logs let anyone verify which certs exist for a domain.
Certificate Authority (CA)
A trusted entity that issues SSL certs. Common CAs: Let's Encrypt (free), Google Trust Services, DigiCert, Sectigo, GoDaddy. Browsers maintain a 'trusted CA' list; certs from non-trusted CAs cause errors.
Subject Alternative Name (SAN)
A cert field listing additional hostnames the cert is valid for. Modern certs cover multiple hostnames via SANs (example.com + *.example.com + api.example.com all in one cert).
CAA record
DNS Certification Authority Authorization (RFC 6844). Restricts which CAs can issue certs for a domain. Without CAA, any CA can issue. With CAA, unauthorized issuance fails. Use with CT-log monitoring for full protection.
Issuer
The CA that issued the cert. Visible in the cert metadata. Common issuers' intermediate names: Let's Encrypt (R3, R10, E1), Google Trust (GTS), DigiCert (DigiCert TLS RSA), Cloudflare (CF Origin), Sectigo (Sectigo RSA).

Want automated expiry alerts and rogue-cert monitoring?

Sign up free for U2L Pro to schedule daily CT-log checks across all your domains, receive expiry alerts 30/60/90 days out, and detect rogue certs from unexpected issuers. No credit card; takes 30 seconds.

Sign up free