SSL Certificate Checker
Check SSL/TLS certificates for any website or server to verify security, expiration dates, and configuration.
What is SSL Certificate Checker?
The SSL Certificate Checker is a tool in the Keychain tab that lets you:
✅ Check Certificates - Verify SSL certificates for any domain
✅ View Details - See issuer, subject, expiration, and validity
✅ Check DNS - View DNS records and IP addresses
✅ Verify Chain - Confirm certificate chain is complete
✅ Monitor Expiry - Track certificate expiration dates
✅ Copy Info - Export certificate details for documentation
Accessing SSL Certificate Checker
From Keychain Tab
1. Open Keychain tab
2. Click dropdown arrow next to "Generate" button
3. Select "SSL Certificate Checker"
Keyboard shortcut:
Ctrl/Cmd + K→ Open Keychain- Click dropdown → SSL Certificate Checker
Interface Overview
┌────────────────────────────────────────────────────┐
│ SSL Certificate Checker [×] │
├────────────────────────────────────────────────────┤
│ Hostname: │
│ ┌────────────────────────────────────────────┐ │
│ │ example.com │ │
│ └────────────────────────────────────────────┘ │
│ │
│ Port: │
│ ┌────────────────────────────────────────────┐ │
│ │ 443 │ │
│ └────────────────────────────────────────────┘ │
│ │
│ [Check Certificate] │
├────────────────────────────────────────────────────┤
│ Results: │
│ │
│ ✓ Certificate Valid │
│ │
│ Subject: example.com │
│ Issuer: Let's Encrypt Authority X3 │
│ Valid From: Oct 1, 2024 │
│ Valid Until: Dec 31, 2024 (82 days) │
│ │
│ DNS: 93.184.216.34 │
│ │
│ [Copy Details] [View Full Certificate] │
└────────────────────────────────────────────────────┘
How to Use
Step 1: Enter Hostname
Supported formats:
example.com
www.example.com
subdomain.example.com
api.example.com
Tips:
- Don't include
https://orhttp:// - Just the hostname/domain
- Can include subdomains
- Case-insensitive
Step 2: Enter Port
Common ports:
443 - HTTPS (default, most common)
8443 - Alternative HTTPS
465 - SMTPS (email)
993 - IMAPS (email)
995 - POP3S (email)
Default: Port 443 (standard HTTPS)
Step 3: Check Certificate
Click "Check Certificate" button
The tool will:
- Connect to the server
- Retrieve SSL certificate
- Validate certificate chain
- Lookup DNS information
- Display results
Typical response time: 1-3 seconds
Step 4: Review Results
Check the certificate information displayed:
- Certificate status (valid/expired/invalid)
- Subject (domain)
- Issuer (Certificate Authority)
- Validity dates
- Days until expiration
- DNS information
Understanding Results
Certificate Status
✓ Valid Certificate
✓ Certificate Valid
Subject: example.com
Issuer: Let's Encrypt Authority X3
Valid Until: Dec 31, 2024 (82 days remaining)
Status: Secure ✓
Indicators:
- Green checkmark
- Valid until date in future
- Days remaining shown
- "Secure" status
⚠ Expiring Soon
⚠ Certificate Expiring Soon
Subject: example.com
Issuer: Let's Encrypt Authority X3
Valid Until: Nov 5, 2024 (14 days remaining)
Status: Expires soon ⚠
Action: Renew certificate
Indicators:
- Warning icon
- Less than 30 days remaining
- Orange/yellow color
- Action recommendation
✗ Expired Certificate
✗ Certificate Expired
Subject: old-site.com
Issuer: Let's Encrypt Authority X3
Valid Until: Sep 15, 2024 (expired 32 days ago)
Status: Expired ✗
Action: Renew immediately
Indicators:
- Red X icon
- Expiration date in past
- Days since expiration
- Urgent action needed
✗ Invalid Certificate
✗ Certificate Invalid
Error: Hostname mismatch
Certificate issued for: different-site.com
Requested: example.com
Status: Invalid ✗
Action: Fix certificate configuration
Common errors:
- Hostname mismatch
- Self-signed certificate
- Untrusted CA
- Incomplete chain
Certificate Information
Subject (Who owns the certificate)
Subject:
CN = example.com
O = Example Corporation
L = San Francisco
ST = California
C = US
Fields:
- CN (Common Name) - Domain name
- O (Organization) - Company name
- OU (Organizational Unit) - Department
- L (Locality) - City
- ST (State/Province) - State
- C (Country) - Country code
Issuer (Who signed the certificate)
Issuer:
CN = Let's Encrypt Authority X3
O = Let's Encrypt
C = US
Common Certificate Authorities:
- Let's Encrypt (free, automated)
- DigiCert (commercial)
- GlobalSign (commercial)
- GeoTrust (commercial)
- Sectigo/Comodo (commercial)
Validity Period
Valid From: Oct 1, 2024 00:00:00 GMT
Valid Until: Dec 31, 2024 23:59:59 GMT
Total Duration: 91 days
Days Remaining: 82 days ✓
Typical validity periods:
- Let's Encrypt: 90 days
- Commercial DV: 1-2 years (max 398 days)
- Commercial OV/EV: 1-2 years (max 398 days)
Status indicators:
- ✓ More than 30 days: Good
- ⚠ 15-30 days: Warning
- ⚠ Less than 15 days: Critical
- ✗ Expired: Invalid
Fingerprint
SHA-256 Fingerprint:
AB:CD:EF:01:23:45:67:89:AB:CD:EF:01:23:45:67:89:
AB:CD:EF:01:23:45:67:89:AB:CD:EF:01:23:45:67:89
Purpose:
- Unique certificate identifier
- Used for certificate pinning
- Verify certificate hasn't changed
- Security validation
Algorithms:
- SHA-256 (current standard)
- SHA-1 (deprecated)
- MD5 (obsolete)
Serial Number
Serial Number: 04:E5:1D:3A:F8:2B:C9:7E
Purpose:
- Unique identifier from CA
- Used for revocation checking
- Certificate tracking
- Typically 8-20 bytes
DNS Information
DNS Records:
A Record: 93.184.216.34
AAAA Record: 2606:2800:220:1:248:1893:25c8:1946
Hostname: example.com
IP Addresses: 2 found
DNS record types:
- A - IPv4 address
- AAAA - IPv6 address
- CNAME - Canonical name (alias)
- MX - Mail exchanger
Certificate Chain
Certificate Chain:
├─ example.com (End Entity)
│ └─ Let's Encrypt Authority X3 (Intermediate)
│ └─ DST Root CA X3 (Root)
Chain Status: ✓ Complete
Chain validation:
- ✓ Complete chain
- ✓ All certificates present
- ✓ Valid signatures
- ✓ Not revoked
Common issues:
- ✗ Missing intermediate certificate
- ✗ Wrong certificate order
- ✗ Self-signed root
- ✗ Revoked certificate
Common Use Cases
1. Monitor Certificate Expiration
Prevent website downtime:
Schedule: Check monthly
1. Check all production domains
2. Note expiration dates
3. Set renewal reminders (30 days before)
4. Verify auto-renewal working (Let's Encrypt)
Expiration timeline:
90+ days: ✓ OK, no action needed
60-89 days: ✓ OK, note for future
30-59 days: ⚠ Prepare renewal
15-29 days: ⚠ Renew soon
< 15 days: 🔴 Urgent, renew now
Expired: 🔴 Critical, immediate action
2. Verify SSL After Installation
After installing new certificate:
1. Install certificate on server
2. Wait for propagation (5-10 minutes)
3. Check with SSL Checker
4. Verify:
✓ Correct domain name
✓ Valid dates
✓ Trusted issuer
✓ Complete chain
5. Test from multiple locations
3. Troubleshoot SSL Errors
When users report SSL warnings:
1. Check certificate with tool
2. Identify issue:
- Expired certificate
- Hostname mismatch
- Self-signed certificate
- Missing intermediate cert
- Untrusted CA
3. Fix based on specific error
4. Verify fix with re-check
4. Security Audit
Regular security checks:
Audit checklist:
□ Certificate valid and trusted
□ Expiration > 30 days away
□ Certificate matches domain
□ Complete certificate chain
□ Strong signature algorithm (SHA-256+)
□ No security warnings
□ DNS resolves correctly
□ HTTPS redirects working
5. Pre-Migration Validation
Before migrating websites:
1. Check current certificate
2. Export certificate details
3. Note expiration date
4. Plan certificate strategy:
- Keep existing cert
- Generate new cert
- Use wildcard cert
5. After migration, verify cert works
Advanced Features
Copy Certificate Details
Export information:
Click "Copy Details" button
Copied to clipboard:
---
Certificate Details
Subject: example.com
Issuer: Let's Encrypt Authority X3
Valid From: Oct 1, 2024
Valid Until: Dec 31, 2024
Days Remaining: 82
Fingerprint: AB:CD:EF:01:...
Status: Valid
---
Use cases:
- Documentation
- Incident reports
- Security audits
- Team communication
View Full Certificate
See complete certificate data:
[View Full Certificate]
Shows:
- Complete X.509 certificate
- All extensions
- Subject Alternative Names (SANs)
- Key usage
- Extended key usage
- CRL distribution points
- Authority info access
- Certificate policies
Check Multiple Domains
Batch checking:
Check domains sequentially:
1. example.com
2. www.example.com
3. api.example.com
4. cdn.example.com
Compare results:
- Same issuer?
- Same expiration?
- All valid?
- All chains complete?
Certificate Types
Domain Validated (DV)
Most common:
Type: Domain Validated
Validation: Automated (DNS/HTTP)
Issuer: Let's Encrypt, etc.
Cost: Free to $50/year
Time: Minutes to hours
Characteristics:
- Verifies domain ownership only
- No company information
- Automated issuance
- Quick and easy
Best for:
- Personal websites
- Blogs
- Small business sites
- Internal applications
Organization Validated (OV)
Business verification:
Type: Organization Validated
Validation: Company verification required
Issuer: Commercial CAs
Cost: $50-$200/year
Time: 1-3 days
Characteristics:
- Verifies company exists
- Shows organization name
- Manual verification process
- Higher trust level
Best for:
- E-commerce sites
- Corporate websites
- Customer-facing applications
- Business services
Extended Validation (EV)
Highest assurance:
Type: Extended Validation
Validation: Rigorous company verification
Issuer: Commercial CAs
Cost: $200-$500/year
Time: 3-7 days
Characteristics:
- Extensive company verification
- Green address bar (older browsers)
- Organization name prominent
- Highest trust level
Best for:
- Financial institutions
- E-commerce (high value)
- Government sites
- Security-critical services
Wildcard Certificates
Cover all subdomains:
Type: Wildcard (DV/OV/EV)
Coverage: *.example.com
Matches:
✓ www.example.com
✓ api.example.com
✓ cdn.example.com
✓ anything.example.com
Does NOT cover:
✗ example.com (root domain)
✗ sub.api.example.com (nested subdomain)
Cost: 2-5x regular certificate
Best for:
- Multiple subdomains
- Dynamic subdomains
- SaaS applications
- Development environments
Troubleshooting
Connection Timeout
Error: "Connection timeout - could not reach server"
Causes:
- Server is down
- Firewall blocking
- Wrong hostname
- Network issue
- DNS not resolving
Solutions:
1. Verify hostname is correct
2. Check server is online (ping)
3. Test port with other tool
4. Check DNS resolution
5. Try from different network
6. Check firewall rules
Hostname Mismatch
Error: "Certificate hostname mismatch"
Example:
Certificate issued for: www.example.com
Requested: example.com
Result: Mismatch ✗
Solutions:
1. Use correct hostname (with/without www)
2. Get certificate with both names
3. Use wildcard certificate (*.example.com)
4. Add Subject Alternative Name (SAN)
5. Set up redirect (example.com → www.example.com)
Self-Signed Certificate
Warning: "Self-signed certificate - not trusted"
Explanation:
Self-signed certificates:
- Signed by itself, not a CA
- Not trusted by browsers
- OK for development/testing
- NOT OK for production
Solutions:
Development:
✓ Accept self-signed (development only)
Production:
1. Get certificate from trusted CA
2. Use Let's Encrypt (free)
3. Purchase from commercial CA
Incomplete Certificate Chain
Error: "Certificate chain incomplete"
Explanation:
Chain should be:
End Entity → Intermediate(s) → Root
Missing:
✗ Intermediate certificate(s)
Result:
Browsers can't validate trust chain
Solutions:
1. Install intermediate certificates
2. Get certificate bundle from CA
3. Configure server to send full chain
4. Test with SSL Labs
5. Verify chain with Certificate Reader
Expired Certificate
Error: "Certificate has expired"
Immediate action:
1. Renew certificate NOW
2. Install new certificate
3. Restart web server
4. Verify with SSL Checker
5. Clear browser cache
Prevention:
1. Set expiration reminders
2. Use automated renewal (Let's Encrypt)
3. Monitor expiration dates
4. Check monthly
5. Document renewal process
Best Practices
1. Regular Monitoring
Schedule checks:
Critical servers: Weekly
Standard servers: Monthly
Development: Quarterly
Set reminders:
- 60 days before expiration
- 30 days before expiration
- 15 days before expiration
- 7 days before expiration
2. Document Everything
Keep records:
For each certificate:
- Domain name(s)
- Issuer
- Purchase date
- Expiration date
- Renewal process
- Responsible person
- Cost
- Next renewal date
3. Automate When Possible
Let's Encrypt automation:
Install certbot:
- Auto-renews every 90 days
- Runs automatically
- Email notifications
- No manual intervention
Monitoring tools:
Use external monitoring:
- Uptime Robot
- Pingdom
- New Relic
- Custom scripts
4. Test After Changes
Always verify:
After any certificate change:
1. Check with SSL Checker
2. Test from browser
3. Test from mobile
4. Check from external network
5. Verify redirects work
6. Clear cache and retest
5. Plan Ahead
Renewal strategy:
30 days before expiration:
- Generate new CSR
- Submit to CA
- Wait for issuance
7 days before expiration:
- Install new certificate
- Test thoroughly
- Monitor for issues
After expiration:
- Keep old cert as backup
- Document changes
- Update records
Security Considerations
Certificate Pinning
Advanced security:
Pin certificate fingerprint in app:
- Prevents MITM attacks
- Requires app update when cert changes
- Only for mobile/desktop apps
- Not for websites
CT Logs
Certificate Transparency:
All certificates logged publicly:
- View at crt.sh
- Monitor for unauthorized certs
- Detect misissued certificates
- Security compliance
Revocation Checking
CRL and OCSP:
Certificate can be revoked:
- Compromised private key
- Incorrect information
- CA compromise
- Superseded by new cert
Check revocation:
- CRL (Certificate Revocation List)
- OCSP (Online Certificate Status Protocol)
Next Steps
- 📄 Certificate Reader - Read and analyze local certificate files
- 📝 Create CSR - Generate Certificate Signing Request
- 🔑 SSH Keys - Manage SSH authentication keys
- 🔙 Keychain Overview - See all Keychain features
Pro Tip: Set up calendar reminders 30 days before certificate expiration dates. Use SSL Certificate Checker monthly to audit all your domains and catch expiring certificates before they cause downtime!