TLS Certificate Checker
Queries Certificate Transparency logs (crt.sh) to show your TLS certificate expiry date, days remaining, issuer, Subject Alternative Names (SANs), and wildcard status. Checks for multiple active certs.
How to Use TLS Certificate Checker
- 1Enter your domain name (e.g., example.com).
- 2The tool queries Certificate Transparency logs to find your active certificate.
- 3See expiry date, days remaining, issuer, and all domains covered (SANs).
- 4A grade A-F reflects certificate health — F for expired, A for 60+ days remaining.
Zenovay
Track your website performance
Real-time analytics, session replay, heatmaps, and AI insights. 2-minute setup, privacy-first.
Related Tools
Password GeneratorGenerate strong, random passwords with customizable length, characters, and complexity.
Password Strength CheckerCheck how strong your password is. Get an estimated crack time and improvement suggestions.
HMAC GeneratorGenerate HMAC signatures using SHA-256, SHA-384, or SHA-512 with the Web Crypto API.
AES Encryption/DecryptionEncrypt and decrypt text using AES-GCM with PBKDF2 key derivation. Runs entirely in your browser.
Frequently Asked Questions
What is Certificate Transparency (CT) and how does this tool use it?▾
Certificate Transparency (RFC 6962) is a public audit framework that requires Certificate Authorities to log every issued TLS certificate to append-only public ledgers (CT logs). Browsers require certificates to be present in at least 2 CT logs or they show untrusted warnings. This tool queries crt.sh — a public CT log aggregator — to find certificates issued for your domain, then shows expiry date, issuer, SANs, and whether the certificate is still active. Because it uses CT logs, it works for any domain without needing to connect to the server directly.
How far in advance should I renew my TLS certificate?▾
Best practice: renew at 30 days remaining. Let's Encrypt auto-renews at 30 days. For manually managed certificates, renew at 45–60 days to have buffer time for validation issues. The industry is moving toward 90-day maximum certificate lifetimes (already the default for Let's Encrypt). ACME-based auto-renewal (Let's Encrypt, ZeroSSL) is the recommended solution — manual renewal is error-prone and causes outages. Set up monitoring alerts at 30 days and 7 days for critical services.
What are Subject Alternative Names (SANs) in TLS certificates?▾
SANs are the list of domain names that a single TLS certificate covers. Modern certificates must use SANs (the Common Name field is deprecated for domain matching). A wildcard SAN like *.example.com covers all subdomains (api.example.com, www.example.com) but not the root (example.com) — so wildcard certs typically include both *.example.com and example.com. Multi-domain (SAN) certificates can cover up to 250 different domains, which is useful for consolidating certs in a microservices architecture.
Why does my domain show multiple active certificates?▾
Multiple active certificates is common and generally fine — it happens when you: (1) Renewed before expiry (overlap period). (2) Migrated to a new CA. (3) Have multiple servers/CDN edge nodes with different certs. (4) Let's Encrypt issues a new certificate each renewal (doesn't revoke the old one). This tool flags multiple active certs as informational. It becomes a problem if you have old certificates with broader SANs than intended, or certificates from CAs you no longer trust.
How do I set up automatic TLS certificate renewal?▾
Options by infrastructure: Cloudflare: enable Universal SSL or Advanced Certificate Manager — fully automatic. Let's Encrypt + Certbot: run "certbot renew" via cron/systemd timer. AWS: use ACM (AWS Certificate Manager) — free and auto-renews. Nginx/Apache on Linux: Certbot handles installation and renewal automatically. Docker: use Traefik or Caddy — both handle cert provisioning automatically via ACME. Kubernetes: cert-manager operator with Let's Encrypt. Vercel/Netlify/Railway: automatic, no configuration needed.