SSL Certificate Checker
Expiry countdown, chain details, protocol and SAN list for any HTTPS host.
Queries run through the PacketNebula lookup service. We log nothing.
The lookup service is not reachable.
In local preproduction, start it with npm run api then . The rest of the site works without it.
The number that matters: days left
Everything else on a certificate is configuration; expiry is a countdown. The meter at the top goes orange under 30 days and red under 7 because those are the practical thresholds: 30 days is when renewal automation should already have fired (Let's Encrypt renews at 30 days by default), and 7 days means someone needs to act today. If you run anything customer-facing, check the certificate from outside your network: internal monitoring has a talent for watching the wrong load balancer.
What the verdict badges mean
Trusted means the chain validates against the standard root store:
browsers will not complain. Untrusted with an authorization error names
the actual problem: an expired certificate, a hostname mismatch (certificate for
www but you queried the apex), a self-signed certificate, or a missing
intermediate. The SAN list shows every name the certificate covers; if the host you
typed is not in that list, that is your mismatch, and wildcards only cover one label
level (*.example.com matches api.example.com but not
v2.api.example.com).
Chain problems: invisible on your machine, fatal elsewhere
The chain section lists what the server actually sent. A complete chain goes leaf, intermediate(s), and optionally the root. When the intermediate is missing, desktop browsers usually still connect because they cache intermediates from other sites, which is precisely why the bug ships to production: it works on the dev's machine. The places it breaks are curl in CI, Java clients, old Android and monitoring probes. Serve the full chain and this entire class of mystery disappears.
Where lifetimes are heading
Public TLS certificates were capped at 398 days in 2020, and the CA/Browser Forum has voted a schedule that shrinks maximum validity to 200 days in 2026, 100 days in 2027 and 47 days in 2029. The message is unambiguous: manual renewal is over. If your renewal process involves a calendar reminder and a human with a pem file, automate it (ACME does this for free) before the schedule does it to you.
Frequently asked questions
How often do certificates actually expire by accident?
Constantly, including at companies that should know better: expired certificates have knocked out Microsoft Teams, Spotify and government portals. The cause is rarely ignorance; it is the one certificate that lived outside the renewal automation, on a load balancer or an internal API. A periodic external check like this one exists to catch exactly that strays.
What does "chain incomplete" or an authorization error mean?
Your server presented its own certificate but not the intermediate certificate linking it to a trusted root. Browsers often paper over this with cached intermediates, so the site looks fine on your machine while curl, mobile apps and monitoring agents fail. The fix is server-side: serve the full chain (fullchain.pem, not cert.pem).
Is TLS 1.2 still acceptable in 2026?
Yes, with modern cipher suites it remains widely accepted. TLS 1.3 is faster (one less round trip) and removes the legacy footguns, so enable it if your stack allows, but being on 1.2 alone is not an incident. TLS 1.0 and 1.1 were formally deprecated by RFC 8996 and should be off.
Why is my certificate only valid for a few months?
The industry has been shortening certificate lifetimes for years: public certificates have been capped at 398 days since 2020, Let's Encrypt issues for 90 days, and the CA/Browser Forum has scheduled further reductions toward 47-day certificates by 2029. Short lifetimes force automation, and automated renewal is the only kind that does not get forgotten.
Can I check a host on a non-standard port?
Yes, set the port field: 8443 for alternative HTTPS, 993 for IMAPS, 465 for SMTPS, 636 for LDAPS. The check performs a TLS handshake with SNI on whatever port you give it, so any TLS service works, not just web servers.