/ developer & network toolbox
← all tools

$ ssl

server-side

SSL / TLS Checker

Inspect a host's live certificate: expiry, issuer, SANs, chain and trust. Private targets are refused.

ssl — invoker.tools

Connects to the host's public address only — private / loopback targets are refused.

About the SSL / TLS Checker

The SSL certificate checker connects to a host and inspects the live TLS/SSL certificate it presents. It reports the expiry date and days remaining, the issuer and subject, the Subject Alternative Names (SANs) the certificate covers, the full certificate chain, and whether the chain is trusted. This gives you a quick health check without reaching for openssl on the command line.

Use it to catch certificates before they expire, confirm a deployment is serving the right cert and full chain, or verify that a hostname is included in the SANs. The connection is made from the server, and for safety it refuses private or loopback targets to guard against server-side request forgery (SSRF).

How to use it

  1. Enter the hostname (and port, if not the default 443) you want to inspect.
  2. Run the check to open a TLS connection to that host.
  3. Review the expiry date and days remaining before renewal is needed.
  4. Check the issuer, subject and SANs to confirm the certificate matches the host.
  5. Verify the certificate chain is complete and trusted.

Examples

  • Check example.com and see the certificate expires in 47 days, issued by a public CA, with a trusted chain.
  • Inspect a host after deploying a new cert and confirm the SANs include both example.com and www.example.com.
  • Try a private address like 127.0.0.1 or 10.0.0.5 and see the tool refuse it because of the SSRF guard.

Frequently asked questions

What does this SSL checker show?

It shows the live certificate's expiry and days remaining, issuer, subject, Subject Alternative Names, the certificate chain, and whether that chain is trusted by standard root authorities.

How do I know when my certificate expires?

The tool displays the certificate's not-after date along with the number of days remaining, so you can plan renewal before it lapses and causes browser warnings.

Why can't I check localhost or a private IP?

The tool refuses private and loopback targets as an SSRF safeguard, preventing the server from being used to probe internal networks. Use it for publicly reachable hosts only.

Is the certificate inspected in my browser or on the server?

The TLS connection is made from the server, which fetches the certificate and returns the details to you. The hostname you enter is sent to the server to perform the connection.

What are SANs and why do they matter?

Subject Alternative Names list every hostname a certificate is valid for. A connection is only trusted if the hostname you use appears in the SANs, so checking them helps diagnose name-mismatch errors.

What does it mean if the chain is not trusted?

An untrusted chain usually means an intermediate certificate is missing or the cert is self-signed or from an unrecognized authority. Browsers will then show a security warning to visitors.