App StoreApp Store
Google PlayGoogle Play
Temp Mail Logo

Temp Mail safeguards your privacy while keeping your inbox free from spam.

🔒 Certificate · Grade · Expiry · Protocols · Vulnerabilities

SSL Certificate Checker

Free SSL/TLS certificate checker. Instantly scan any domain for certificate validity, expiry date, SSL grade, protocol support, HSTS status, and known vulnerabilities. Powered by SSL Labs.

✓ A+ to F grading✓ Expiry countdown✓ TLS protocol check✓ Vulnerability scan✓ No signup
SSL / TLS Certificate Scanner
Try:
🔒
Enter a domain above and click Check SSL to scan its certificate
What this tool does

Free SSL certificate checker — scan any domain for TLS security, expiry, grade, and vulnerabilities

How this SSL checker works, what each result means, and how to fix common SSL problems

This free SSL certificate checker connects to the SSL Labs public API — the same engine used by security professionals worldwide — to perform a comprehensive analysis of any domain's TLS configuration. Unlike simple certificate viewers that only show the expiry date, this tool performs an active scan: it connects to the server, negotiates TLS handshakes, probes for protocol support, checks for known vulnerabilities, and assigns an overall grade from A+ (near-perfect security) down to F (critical failures). All results are cached by SSL Labs for 24 hours; enable "Force fresh scan" to bypass the cache.

The most important result for most website owners is the expiry date. An expired SSL certificate causes every major browser to display a full-screen security warning that prevents most users from proceeding to your site — effectively taking your site offline. Certificates issued by Let's Encrypt expire after 90 days; those from commercial CAs typically last 1 year. Set a calendar reminder 30 days before expiry, or use automated renewal tools like Certbot to handle this automatically.

The SSL grade reflects the overall quality of your TLS configuration. To achieve an A+, your server must support TLS 1.2 and 1.3 (while disabling the deprecated TLS 1.0 and 1.1), serve an HSTS header with a max-age of at least 180 days, use a 2048-bit or larger RSA key or an ECDSA key, support Forward Secrecy on all connections, and have no known vulnerabilities. Most modern web servers and CDNs (Cloudflare, Nginx, Apache) can achieve A+ with proper configuration.

What this tool checks
SSL/TLS Grade
Overall security rating from A+ to F based on certificate, protocols, ciphers, and server configuration.
Certificate Expiry
Exact expiry date with a countdown in days. Warning shown when fewer than 30 days remain.
Certificate Issuer
The Certificate Authority (CA) that issued the cert — e.g. Let's Encrypt, DigiCert, Sectigo.
Protocol Support
Which TLS versions the server accepts: TLS 1.0, 1.1 (deprecated), 1.2 and 1.3 (recommended).
HSTS Status
Whether HTTP Strict Transport Security is configured and the max-age value in seconds.
Subject Alt Names
All hostnames the certificate is valid for, including wildcards and additional domains.
Key Algorithm
RSA or ECDSA key type and size. 2048-bit RSA minimum; 256-bit ECDSA is equivalent security at smaller size.
Heartbleed
CVE-2014-0160 — a critical OpenSSL bug that could expose private keys and session data.
POODLE
CVE-2014-3566 — a padding oracle attack that exploits CBC mode ciphers in older TLS versions.
Revocation Status
OCSP / CRL check to verify the certificate hasn't been revoked by the issuing CA.
Forward Secrecy
Whether the server uses ephemeral key exchange so past sessions can't be decrypted if the private key is compromised.
Signature Algorithm
The hash function used to sign the certificate — SHA-256 is standard; MD5 and SHA-1 are deprecated.
Examples

SSL certificate examples — from A+ perfect scores to expired and misconfigured certificates

Real-world SSL configurations with grades, what each result means, and how to fix common issues
Grade A+cloudflare.com — near-perfect TLS configuration
Grade: A+ TLS 1.3: ✓ Supported TLS 1.2: ✓ Supported TLS 1.0/1.1 ✗ Disabled HSTS: ✓ max-age=31536000; includeSubDomains; preload Expiry: Valid — 340 days remaining Heartbleed: ✓ Not vulnerable Key: ECDSA 256-bit

An A+ rating means the server supports only modern TLS versions, has HSTS configured with at least 180 days max-age (Cloudflare uses a full year), uses a modern ECDSA key, enables forward secrecy on all connections, and has no known vulnerabilities. This is the gold standard every website should aim for.

Grade Bexample-b.com — weak protocol support lowering the grade
Grade: B TLS 1.3: ✓ Supported TLS 1.2: ✓ Supported TLS 1.1: ✓ Supported ← causes grade cap at B TLS 1.0: ✓ Supported ← insecure, disable immediately HSTS: ✗ Not set Expiry: Valid — 120 days remaining

A B grade typically means the server still advertises support for the deprecated TLS 1.0 or 1.1 protocols, or HSTS is missing. Fix: in Nginx, set ssl_protocols TLSv1.2 TLSv1.3; and add add_header Strict-Transport-Security "max-age=31536000" always; to jump to an A or A+ rating.

Expiredexpired.badssl.com — certificate past its validity date
Grade: T (certificate error) Expiry: ✗ EXPIRED — 1,830 days ago Issuer: DigiCert Error: Certificate has expired Impact: All browsers show a full-screen security warning

An expired certificate causes every major browser to block users with a security warning page. This is one of the most common and avoidable causes of unplanned downtime. The fix is to renew and install a new certificate from your CA. If you use Let's Encrypt, set up Certbot with a cron job or systemd timer to auto-renew at 60-day intervals — well before the 90-day expiry.

Wildcard Cert*.example.com — single certificate covering all subdomains
Subject: CN=*.example.com SANs: *.example.com example.com Issuer: Let's Encrypt R11 Key: RSA 2048-bit Coverage: mail.example.com ✓ api.example.com ✓ sub.sub.example.com ✗ (wildcards are one level only)

A wildcard certificate covers all direct subdomains of a domain (one level only). *.example.com protects mail.example.com, api.example.com, etc., but not nested subdomains like sub.api.example.com. For multiple distinct domains (example.com, example.org), use a multi-SAN certificate or separate certificates for each domain.

FAQ

Frequently asked questions about SSL certificates, TLS security, and certificate management

Common questions about SSL certificates, grades, expiry, HSTS, and fixing security issues
What is an SSL certificate?
An SSL (Secure Sockets Layer) certificate is a digital credential that authenticates a website's identity and enables an encrypted connection between the server and the user's browser. When you see the padlock icon and 'https://' in your browser address bar, an SSL/TLS certificate is in use. Despite the name, modern implementations use TLS (Transport Layer Security) — a more secure successor to SSL — but the term 'SSL certificate' remains widely used.
What does the SSL grade mean?
The SSL grade (A+ to F) is calculated by SSL Labs and reflects the overall security of a server's TLS configuration. An A+ grade indicates a nearly perfect setup: TLS 1.3 support, strong ciphers, HSTS with a long max-age, and no known vulnerabilities. Lower grades indicate issues such as support for weak TLS 1.0 or 1.1 protocols, weak cipher suites, missing HSTS, or certificate problems like near-expiry or weak key sizes. Most modern sites should achieve an A or A+.
How do I check if my SSL certificate is expiring soon?
Enter your domain above and click Check SSL. The tool shows your certificate's expiry date and the number of days remaining. We recommend renewing your certificate at least 30 days before expiry — many certificate authorities (Let's Encrypt, DigiCert, etc.) send renewal reminders, and tools like Certbot can automate renewal. An expired certificate causes browsers to display a security warning that blocks most users from visiting your site.
What is HSTS and why does it matter?
HSTS (HTTP Strict Transport Security) is a security policy mechanism that tells browsers to always connect to a website using HTTPS, even if the user types 'http://'. Once a browser receives an HSTS header, it refuses to load the site over HTTP for the duration of the max-age period. This prevents downgrade attacks and cookie hijacking. To achieve an A+ grade from SSL Labs, your site must have HSTS enabled with a max-age of at least 180 days.
What are TLS 1.0 and TLS 1.1 and why are they a problem?
TLS 1.0 (released 1999) and TLS 1.1 (2006) are outdated TLS protocol versions with known vulnerabilities including BEAST, POODLE, and DROWN attacks. Major browsers dropped support for them in 2020. Servers still advertising support for TLS 1.0 or 1.1 receive a lower SSL Labs grade and may be downgraded in search engine rankings. You should configure your server to only accept TLS 1.2 and TLS 1.3.
What is a Subject Alternative Name (SAN)?
A Subject Alternative Name (SAN) is an extension in an SSL certificate that specifies additional hostnames the certificate covers. A wildcard certificate for *.example.com only covers one level of subdomains, but SANs can list specific hostnames like mail.example.com, api.example.com, and example.org on a single certificate. Modern browsers require certificates to use SANs — the older Common Name (CN) field is no longer sufficient for hostname validation.
What is Heartbleed?
Heartbleed (CVE-2014-0160) was a critical vulnerability in the OpenSSL library that allowed attackers to read the server's private memory — potentially exposing private keys, passwords, and sensitive data — by sending specially crafted TLS heartbeat requests. It was discovered in 2014 and affected a large portion of the internet. Any server running an unpatched OpenSSL version before 1.0.1g is still vulnerable. This tool checks whether the server you're scanning is affected.
Why is the scan taking a long time?
SSL Labs performs a thorough active scan of the server, testing dozens of TLS configurations, cipher suites, and known vulnerabilities. A full scan typically takes 60 to 90 seconds for a server that hasn't been scanned recently. If the server has been scanned within the last 24 hours, we use the cached result which loads instantly. You can request a fresh scan by clicking 'Force Fresh Scan' to bypass the cache.
Related Security & Network Tools

Need a disposable email address?Stop exposing your real inbox — get a free instant throwaway email with no signup and no trace.

Get Free Temp Mail →