Free Tool
SSL Certificate Checker
Catch certificate expiry before browsers block your site.
What it calculates
TLS handshake on port 443: validity window, days until expiry, SAN coverage for apex/www.
Why it matters
Expired or mis-issued certificates stop conversions instantly — browsers show interstitials, crawlers may drop pages.
The Learn Domains moat
Check → Diagnose → Activate → Ship fixes → Measure lift
Monitoring tools stop at the score. Learn Domains turns gaps into ranked actions inside your command center.
- 1Check
You ran the checker on your domain and topic.
Done - 2Diagnose
Readiness score + live mention gaps on missed prompts.
Learn more - 3Activate
Connect site, add Knowledge Base, generate Mission Brief.
Learn more - 4Ship + measure
Growth Orders → content drafts → Signal AI referrals.
Learn more
Apex domain only — no paths, IPs, or ports.
What this checker verifies
Single TLS handshake to the apex host: certificate expiry, issuer, and whether SANs cover the submitted hostname.
Scans run from Learn Domains infrastructure against the apex domain you submit. We do not crawl arbitrary URLs, probe ports, or run penetration tests. Results describe observed configuration at scan time.
Treat output as operator signal — not a security certification, ranking guarantee, or legal attestation.
How to interpret the result
Negative days means expired. Hostname mismatch means some entry URLs will fail HTTPS even if apex works.
Severity labels rank urgency: critical issues often block traffic or trust; high issues degrade deliverability or crawl efficiency; medium and low items are worth scheduling before they compound.
When a finding is marked inference or needs human review, confirm in your DNS host, CDN, or registrar before shipping a production change.
Common causes of this issue
Forgotten www coverage, manual renewals on multi-server setups, or origin certs not synced to CDN edge.
Misconfigured migrations, partial CDN setups, and copied DNS templates are the usual culprits. Compare www and apex behavior when redirects look inconsistent.
If you recently changed hosts, allow TTL propagation before re-checking — a stale cache can look like a failure for up to 48 hours.
How to fix it
Renew at CA or enable auto-renew. Re-issue with apex + www SANs or a valid wildcard for your pattern.
Document what you changed and when. Technical change detection inside Learn Domains compares future scans to this baseline so regressions surface in the Operator.
For email posture issues, coordinate with whoever owns your ESP (Google Workspace, SendGrid, etc.) so SPF and DMARC align with live senders.
When to re-check
Weekly when within 30 days of expiry. Set registrar or CDN alerts as backup.
Re-run after DNS TTL windows, certificate renewals, or deploys that touch edge configuration. Weekly monitoring catches drift before launch deadlines.
Connected workspaces in Learn Domains store scan history — public checks are ephemeral snapshots for visitors.
Related Learn Domains workflows
Run Redirect Checker to ensure HTTP→HTTPS chains end on valid TLS.
TLS regressions appear in Technical Preflight diffs — Learn Domains flags new failures against your last scan.
Start a $1 trial to connect the domain, run full Technical Preflight in the Operator (/tech), turn findings into Growth Orders, and monitor technical health alongside Mission Brief priorities.
Examples
Wildcard renewal
Scenario: Auto-renew failed on a wildcard cert.
Outcome: Checker shows days-until-expiry under 14 or hostname mismatch for www.
Use cases
- Certificate renewal calendar
- HTTPS migration QA
- Partner security reviews
Learn Domains perspective
TLS regressions appear in Technical Preflight diffs — Learn Domains flags new failures against your last scan.
FAQ
- Is the SSL Certificate Checker free?
- Yes. Anonymous visitors can run a limited number of checks per day. Results are cached briefly to keep scans fast. Full history, change detection, and Growth Orders require a Learn Domains workspace.
- Does this scan my entire site?
- No. Public tools inspect DNS, HTTPS entry points, robots.txt, sitemap discovery, mail records, and response headers for the apex domain. They do not brute-force paths or audit every URL.
- Can I scan any domain?
- You can check publicly registered domains you have permission to evaluate. We block internal networks, localhost, and platform abuse targets. Rate limits apply per visitor and per domain.
- How is this different from Learn Domains in the app?
- The app runs the same Technical Intelligence engine with saved history, workspace context, AI Operator interpretation, and one-click Growth Orders. Public tools deliver a snapshot; the product runs the operating loop.