What does a grade A mean for an SSL certificate?

Grade A means the certificate is valid (not expired), the hostname matches a Subject Alternative Name or Common Name in the certificate, and the certificate expires more than 30 days from now. Grade B means expiry is 14–30 days away; Grade C means fewer than 14 days remain. Grade F means the certificate is expired or the hostname does not match — in both cases browsers will show a security warning.

Why does certificate expiry matter so much?

An expired TLS certificate causes every browser to show a full-page security warning, blocking visitors entirely until the certificate is renewed. Most certificate authorities issue certificates for 90 days (Let's Encrypt) or 1 year. Automated renewal via Certbot, a cloud CDN, or a managed certificate service eliminates expiry as a risk — but only if the automation is running and the renewal actually completes. This checker shows exactly how many days remain so you can act before visitors are affected.

What are Subject Alternative Names (SANs)?

Subject Alternative Names (SANs) are the list of domain names the certificate is valid for, encoded in the certificate itself. A certificate for pentes.io might have SANs of pentes.io and www.pentes.io, meaning it is valid for both. Wildcard SANs like *.pentes.io cover all subdomains. The checker shows the full SAN list from the certificate so you can see whether the hostname you are testing is actually covered.

Does this tool connect to my server?

Yes — the TLS certificate check opens a TLS handshake to your server on port 443 to read the certificate the server presents. This is the same connection a browser makes. No application data is exchanged beyond the TLS handshake, and the connection is closed immediately after reading the certificate. The check is safe to run against production servers.

How do I renew a certificate that is about to expire?

If you use Let's Encrypt / Certbot, run certbot renew and ensure your cron job or systemd timer is running. If you use a CDN (Cloudflare, Fastly, AWS CloudFront), certificate renewal is usually automatic — check the dashboard for any renewal errors. If you purchased a certificate from a CA (DigiCert, Sectigo, etc.), log in to your account to renew and re-issue. After renewing, re-run this checker to confirm the new certificate is live and the expiry date has updated. See also: Why Is My SSL Certificate Not Trusted? for the most common TLS misconfiguration.

SSL/TLS Certificate Checker — Free Instant Test

What this checker tests

This tool opens a TLS handshake to your server on port 443 and reads the certificate the server presents — the same information any browser sees. It does not exchange application data, does not test authentication, and closes the connection immediately after reading the certificate.

The checker reports:

Grade — A (valid, expires in >30 days), B (14–30 days), C (<14 days), F (expired or hostname mismatch)
Expiry countdown — exact days remaining until the certificate expires
Subject / Issuer — Common Name and Certificate Authority
Subject Alternative Names (SANs) — all hostnames the certificate is valid for
Protocol and cipher — TLS version and cipher suite negotiated
Hostname match — whether the hostname you entered matches a SAN or CN in the certificate

Common SSL/TLS problems

Problem	What you see	Fix
Expired certificate	Grade F, negative days remaining	Renew the certificate immediately; automate renewal
Hostname mismatch	Grade F, hostnameMatch: false	Reissue the certificate with the correct SAN / wildcard
Certificate expiring soon	Grade B or C	Renew now; set up auto-renewal before it expires again
Weak cipher suite	Cipher name shows RC4, DES, 3DES	Update TLS config to disable deprecated ciphers; use Mozilla SSL Config Generator

For the most common SSL problem — an incomplete certificate chain where the browser shows a warning but curl doesn't — see the guide: Why Is My SSL Certificate Not Trusted?

Trust and differentiators

No account required. No data stored. The check is a passive TLS handshake — no application data exchanged, safe to run against production.

For continuous TLS monitoring — alerts when a certificate is approaching expiry or its configuration degrades — create a free pentes.io account. The free tier includes 5 scans per month with testssl.sh TLS analysis, LLM-triaged findings, and a downloadable report.

See all free security tools or read the SSL certificate guide for detailed remediation steps.

What this checker tests

Common SSL/TLS problems

Trust and differentiators

Monitor your TLS configuration