Loading…
Loading…
Paste any public URL. Scorifya performs a live TLS handshake, reads the certificate, and reports the expiry date, days remaining, chain validity, and whether the cert covers the hostname you tested.
Free tool
Certificate expiry is the most avoidable outage in web infrastructure. Most teams only notice when browsers start showing security warnings, by which point visitors are already blocked. Short-lived certificates (90-day ACME certs are now standard) make the renewal window tight and missed renewals more common, especially across multi-domain portfolios.
Paste any public URL. Scorifya performs a live TLS handshake, reads the leaf certificate, and reports the exact expiry date, the number of days remaining, whether the certificate chain is complete, and whether the cert's subject and SANs cover the hostname you tested. Certificate data sits inside the TLS category of the broader 0-100 hardening score.
This page is written for people searching for SSL certificate expiry checker, same tool as the homepage, with context for that query.
How we differ from deep TLS graders, browser-focused posture tools, and header-only checkers: read the comparison.
Illustrative snapshots of what a report can look like. Paste your URL above for a live score on your site.
Example A, certificate expiring within 7 days
The certificate is valid today but expires in 6 days. Any visitors after expiry will see a browser security warning and cannot proceed without bypassing it.
Certificate expires in 6 days
Renew immediately and verify the new certificate was deployed to all origin servers. Automated ACME renewal should have caught this earlier.
No HSTS, expiry outage will be worse
Without HSTS, some browsers may attempt HTTP fallback after a cert error. Fixing the cert is the priority; adding HSTS prevents future downgrade risk.
Example B, certificate chain incomplete
The leaf certificate is valid with plenty of time remaining, but an intermediate certificate is missing from the chain. Some clients will fail to verify the certificate.
Intermediate certificate missing from chain
The server is not sending the full certificate chain. Configure your web server or load balancer to include intermediate certificates alongside the leaf cert.
Automate renewal with ACME
Let's Encrypt, ZeroSSL, and most CDNs support automatic 90-day renewal via ACME. Remove the human from the renewal loop entirely.
Monitor expiry across your portfolio
A single domain is easy to track. If you manage sites for clients, a watchlist with email alerts before 30-day and 7-day windows prevents missed renewals.
Include the full certificate chain
Configure your server to serve the leaf certificate plus all intermediate certificates. Missing intermediates cause validation failures on clients that don't cache intermediates.
Verify coverage of every hostname you use
Check that the certificate's Subject Alternative Names cover all hostnames visitors actually use: apex, www, and any other subdomains that serve HTTPS traffic.
Test staging after every renewal
Renewal failures often surface on staging before production. Run a certificate check after every automated renewal to confirm the new cert was deployed correctly.
For weights and penalties behind each category, see How Scorifya works.
Paste your URL above. Scorifya performs a live TLS handshake and reads the certificate's notAfter field, reporting the exact expiry date and days remaining.
Browsers show a full-page security warning and block users from proceeding without manually bypassing the error. Most users will leave rather than click through the warning.
At least 30 days before expiry. For 90-day ACME certificates, automated renewal typically runs at 60 days remaining. Check that automation is working. It can fail silently.
A complete chain includes the leaf certificate and all intermediate certificates back to a trusted root. If intermediates are missing, some clients cannot verify the cert and show an error even though the cert itself is valid.
Yes, scan each URL individually. Pro plan adds a watched domains list with scheduled re-scans and email alerts before expiry windows.
More detail on limits and billing: FAQ.
TLS, HTTPS & redirects
Valid certificates, modern TLS, and clean HTTP→HTTPS upgrades. We also probe whether legacy TLS 1.0/1.1 are still accepted.
Security headers
CSP, HSTS, and related headers reduce common browser-side attack surfaces and clickjacking risk.
DNS & email (passive)
SPF, DMARC, a few DKIM selectors, MX, and whether common subdomains resolve publicly, without port scanning.
Hygiene signals
Verbose server banners and risky defaults can raise your attack surface and erode trust.
Not a vulnerability scan
Scorifya checks public configuration signals; it does not attempt exploitation, port scans, or authenticated crawling.
If you're iterating on config or deploying changes, you'll likely run multiple checks as you tighten things up. When you're ready, Scorifya Pro removes scan limits and unlocks JSON/CSV/PDF exports.