How to Check a Website's SSL Certificate (3 Ways)
By Nathan Cole, Security Researcher · Updated 2026-06-02Part of our guide to SSL/TLS Certificates Explained: How to Check and Read One.
You can check any website's SSL certificate in three ways: a free online checker, your browser's padlock menu, or the openssl command on your own machine. Each one tells you who issued the certificate, the domain it covers, when it expires, and which TLS protocol is negotiated. The right choice depends on whether you want a quick read, a visual confirmation in the browser you already trust, or raw detail you can script against. If you are still mapping out how the pieces fit together, SSL/TLS certificates explained walks through the underlying model.
A certificate is just a signed statement that ties a public key to a domain name, structured according to the X.509 profile described in RFC 5280. Every method below reads the same data; they only differ in presentation. Here is what each field maps to and where to find it.
| What you want to check | Where to look |
|---|---|
| Who issued it | Issuer / "Issued by" field, or openssl x509 -issuer |
| Domain coverage | Subject CN and Subject Alternative Names |
| Expiry date | "Valid to" / notAfter, or openssl x509 -enddate |
| Days remaining | Online checker summary, or compute from notAfter |
| TLS protocol | Connection details, or the openssl s_client handshake line |
| Full chain | Browser certificate viewer, or openssl s_client -showcerts |
Method 1: The free DomainIntel SSL checker
The fastest path is the SSL checker at the site root. Type a domain, run the check, and you get the issuer, the validity dates, the days remaining before expiry, and the negotiated protocol on one screen. Nothing to install, no command syntax to remember, and it works from any device including a phone. This method shines when you want a quick verdict or need to compare several domains without opening a terminal.
It is also useful for spotting trouble you might miss in a browser. A site can load fine while sitting only a week from expiry, and a plain padlock will not warn you about that. The checker surfaces the countdown directly, which pairs well with reading SSL certificate expiration to understand what that number actually means for uptime.
Method 2: The browser padlock
Every major browser exposes the certificate behind the address bar. The wording shifts slightly between versions, but the path is consistent:
- Click the padlock or the site information icon to the left of the URL.
- Choose "Connection is secure" (or the equivalent "Site information" entry).
- Open the certificate details to view the issuer, subject, Subject Alternative Names, and the valid-from and valid-to dates.
This is the method to reach for when a visitor reports a warning, because you see exactly what their browser sees. If the certificate is self-signed, issued to the wrong name, or expired, the viewer makes it obvious. For decoding the specific message a browser throws, see common SSL errors.
Method 3: openssl on the command line
For full control, openssl talks directly to the server. Connect and inspect the certificate:
openssl s_client -connect example.com:443 -servername example.com
The -servername flag sends the SNI hostname, which matters on shared hosts where one IP serves many certificates. To read just the validity window without scrolling through the whole handshake:
openssl s_client -connect example.com:443 -servername example.com 2>/dev/null \
| openssl x509 -noout -dates
That prints notBefore and notAfter, the two dates that define the certificate's life. To see every certificate in the chain, from the leaf up toward the root, add -showcerts:
openssl s_client -connect example.com:443 -servername example.com -showcerts
A complete chain matters because browsers reject a certificate they cannot trace back to a trusted root. The rules governing how public certificates are issued and structured live in the CA/Browser Forum Baseline Requirements, which is worth a look if a chain seems valid yet still gets rejected.
Which method should you use?
Grab the online checker for speed, the browser for confirming what a real visitor experiences, and openssl when you want raw fields you can pipe into a script or a monitoring job. Most people end up using all three over time, often starting with the checker and dropping to openssl only when something looks off.
Want a fast read right now? Run a free SSL check at the site root and see the issuer, expiry, and protocol for any domain in seconds.
Frequently asked questions
How do I check a website's SSL certificate?
Use one of three methods: a free online SSL checker (paste the domain and read issuer, dates, and protocol), your browser's padlock menu, or the command line with openssl s_client -connect example.com:443 -servername example.com.
How do I view a certificate in my browser?
Click the padlock or site information icon in the address bar, choose 'Connection is secure', then open the certificate details to see the issuer, subject, and validity dates.
What is the openssl command to check a certificate?
Run openssl s_client -connect example.com:443 -servername example.com to fetch the certificate, and add -dates or pipe to openssl x509 -noout -dates to read the validity period.