How to Check an SSL Certificate for Any Domain

SSL/TLS certificates encrypt the connection between a browser (or email client) and a server, protecting data in transit from eavesdropping and tampering. An expired, misconfigured, or missing SSL certificate triggers browser warnings, breaks HTTPS connections, and can prevent email servers from negotiating TLS encryption. Regularly checking your certificates ensures your domain stays secure and trusted.

Try It Now

Use our free SSL Checker to instantly inspect any domain's SSL certificate, including expiration, issuer, and SAN entries.

Step 1: Enter Your Domain in the SSL Checker

Open the Email Armory SSL Checker and type the domain you want to inspect (for example, example.com). You do not need to include https:// — the tool connects to the server on port 443 automatically. Click "Check" to retrieve the certificate.

Step 2: Read the Certificate Details

The results show the certificate's subject (the primary domain it was issued for), the issuer (the Certificate Authority that signed it), the certificate chain, and the protocol version. Review these details to confirm the certificate belongs to your domain and was issued by a trusted CA.

Step 3: Check the Expiration Date

Look at the Valid From and Valid To fields. If the certificate has expired or will expire within the next 30 days, you need to renew it immediately. Expired certificates cause browsers to display a full-page security warning, which blocks most visitors from reaching your site. If you use Let's Encrypt, make sure your auto-renewal cron job or ACME client is working.

Step 4: Verify SAN Entries

The Subject Alternative Name (SAN) field lists every domain and subdomain the certificate covers. Confirm that all the hostnames you serve are included. Common entries include the bare domain (example.com) and the www subdomain (www.example.com). If you also serve mail on mail.example.com, that hostname must appear here too, or email clients negotiating TLS will see a name mismatch.

Step 5: Check the Issuer

The issuer field tells you which Certificate Authority (CA) signed the certificate. Trusted CAs include Let's Encrypt, DigiCert, Sectigo, GlobalSign, and Google Trust Services. If the issuer is unknown or the certificate is self-signed, browsers and email servers will not trust it. For production use, always obtain a certificate from a recognized CA.

Step 6: Troubleshoot Common Issues

If the SSL Checker reports problems, here are the most common causes and fixes:

Certificate expired — Renew the certificate through your CA or hosting provider. If you use Let's Encrypt, run certbot renew and restart your web server.
Name mismatch — The domain you entered is not listed in the certificate's SAN field. Re-issue the certificate with all required hostnames included.
Incomplete chain — The server is not sending intermediate certificates. Configure your web server to serve the full certificate chain, not just the leaf certificate.
Self-signed certificate — Replace it with a certificate from a trusted CA. Let's Encrypt offers free certificates that are trusted by all major browsers.
Connection refused on port 443 — Your server is not listening for HTTPS connections. Verify your web server configuration and firewall rules.

Frequently Asked Questions

How often should I check my SSL certificate?

You should check your SSL certificate at least once a month and set up automated monitoring to alert you 30 days before expiration. Expired certificates cause browser warnings that drive visitors away and can break email delivery over TLS.

What does it mean if my SSL certificate is self-signed?

A self-signed certificate is not issued by a trusted Certificate Authority (CA). Browsers and email servers will show security warnings because they cannot verify the certificate's authenticity. For production websites and mail servers, always use a certificate from a trusted CA like Let's Encrypt, DigiCert, or Sectigo.

What is a SAN entry on an SSL certificate?

SAN stands for Subject Alternative Name. It is a certificate extension that lists all the domain names and subdomains the certificate is valid for. For example, a single certificate might cover example.com, www.example.com, and mail.example.com. If a domain is not listed in the SAN field, browsers will show a name mismatch error.

Related Guides

How to Check an SSL Certificate for Any Domain

Try It Now

Use our free SSL Checker to instantly inspect any domain's SSL certificate, including expiration, issuer, and SAN entries.

Step 3: Check the Expiration Date

Step 4: Verify SAN Entries

Step 5: Check the Issuer

Step 6: Troubleshoot Common Issues

If the SSL Checker reports problems, here are the most common causes and fixes:

Certificate expired — Renew the certificate through your CA or hosting provider. If you use Let's Encrypt, run certbot renew and restart your web server.

Name mismatch — The domain you entered is not listed in the certificate's SAN field. Re-issue the certificate with all required hostnames included.

Incomplete chain — The server is not sending intermediate certificates. Configure your web server to serve the full certificate chain, not just the leaf certificate.

Self-signed certificate — Replace it with a certificate from a trusted CA. Let's Encrypt offers free certificates that are trusted by all major browsers.

Connection refused on port 443 — Your server is not listening for HTTPS connections. Verify your web server configuration and firewall rules.

Frequently Asked Questions

How often should I check my SSL certificate?

What does it mean if my SSL certificate is self-signed?

What is a SAN entry on an SSL certificate?