SSL Certificate Checker
Check the TLS certificate a public hostname is serving, including issuer, expiration, SANs, hostname match, and renewal warnings.
Status: Live · Processing: server-assisted TLS inspection. The browser sends the hostname and port to a same-origin CyganLabs WordPress endpoint because browser JavaScript cannot inspect arbitrary remote certificates. The endpoint connects only to public DNS hostnames on ports 443, 8443, or 9443, blocks private/internal/reserved IP ranges before connecting, rate-limits requests, and uses short-lived caching.
This is a maintenance sanity check, not a magical renewal system. It helps you catch expired certificates, short renewal windows, hostname mismatches, incomplete trust paths, and “oh right, that cert was on the other box” nonsense before users become your monitoring stack.
Check a TLS certificate
Enter a public hostname such as cyganlabs.com. You can also paste an HTTPS URL and the tool will normalize it to the hostname. Internal services are blocked by design.
Enter a public hostname to inspect the TLS certificate served to CyganLabs.
Raw inspection data returned by this check
What this checks
- Expiration: when the certificate becomes valid, when it expires, and how many days are left. Warnings start at 30, 14, and 7 days.
- Issuer and subject: who issued the certificate and what name the certificate identifies.
- SANs: the Subject Alternative Names that define which hostnames the certificate covers. The list is shown and truncated only if it gets obnoxiously large.
- Hostname match: whether the requested hostname appears to be covered by the certificate, including normal single-label wildcards like
*.example.com. - Verified handshake: whether CyganLabs can complete a normal verified TLS handshake with SNI and the served chain.
- Calendar reminder: a downloadable reminder event roughly 14 days before expiration. It is a nudge, not monitoring.
Important caveats
The result is from the CyganLabs server perspective. Browsers, CDNs, load balancers, IPv4 versus IPv6 paths, split-horizon DNS, and corporate filtering can make certificate results differ by network. If your browser shows something different, believe the live client path and investigate the routing.
Does this renew my certificate?
No. It checks what is currently being served. Renewal still belongs to your ACME client, host, CDN, load balancer, or whatever brittle little certificate goblin is actually in charge.
Why does my browser show something different?
You may be hitting a different edge, IP family, CDN route, internal DNS answer, proxy, or cached path. This tool uses public DNS resolution and SNI from the CyganLabs server. That is useful, but it is not every network path on earth.
Can this check internal services?
No. That is intentional. Hostnames that resolve to private, loopback, reserved, link-local, multicast, or otherwise unsafe IP ranges are blocked so the tool does not become a public network probe.
Do you store checked domains?
The tool does not intentionally store a searchable history of checked hostnames. The endpoint uses normal server request handling plus short-lived WordPress transients for rate limiting and repeated-host caching. Public hostnames are not secrets, but still do not paste anything you would treat like one.
Related tools: Email DNS Sanity Checker, Maintenance Checklist Builder, and the self-hosting maintenance guide.