Expiry checks
Confirm a certificate is still valid and spot endpoints that are close to expiry before an incident.
Documentation
Inspect the leaf TLS certificate for a public hostname, review SAN coverage, and catch expiry or issuer issues quickly.
Overview
Use SSL Certificate Inspector when you need a quick read of the certificate a public TLS endpoint is currently serving on a hostname and port.
Confirm a certificate is still valid and spot endpoints that are close to expiry before an incident.
Check SAN coverage and common name details when a hostname mismatch or SNI issue is suspected.
Review issuer, subject, fingerprints, and self-signed signals without reaching for OpenSSL commands.
Supported inputs
Walk through it
Workflow
Use this flow when you need the currently served leaf certificate for one hostname.
Workflow
Use this flow when browsers or clients report trust or hostname problems.
What you get
A top-level summary shows the normalized hostname, port, issuer, subject CN, and validity window.
Expiry, hostname coverage, validity timing, and self-signed signals are surfaced as quick checks.
Subject, issuer, SAN names, serial identifiers, and SHA fingerprints are normalized into copy-ready sections.
Avoid these mistakes
Enter only the hostname. Do not include `https://`, paths, or query strings.
If the service terminates TLS on a different port, enter that port before you run the check.
This v1 tool shows the served leaf certificate only, not the full certificate chain.
Glossary
This section translates the most technical labels on the page into plain language so you can interpret the output without opening another tab.
SAN stands for Subject Alternative Name. It is the list of hostnames or IP entries a certificate is allowed to identify. Browsers usually check this list before they check anything else.
The common name is an older certificate identity field. If a SAN list exists, clients usually rely on the SANs first and only fall back to the common name when SANs are absent.
The issuer is the certificate authority or signing certificate that created the certificate you are inspecting. It tells you who vouched for that certificate.
A self-signed certificate is signed by the same identity it represents instead of by a separate certificate authority. That can be fine for internal systems, but public browsers usually will not trust it automatically.
A fingerprint is a short hash of the certificate itself. Teams use it to confirm they are looking at the exact same certificate across logs, inventory systems, and support tickets.