Free · no signup

SSL & Domain Expiry Checker

See how a site's SSL certificate and domain registration are doing — issuer, validity, chain, expiry, registrar, nameservers. Two clocks, one page.

Try: stripe.comgithub.comcloudflare.combadssl.comexpired.badssl.com
Reads public TLS + RDAP Nothing stored, nothing tracked
Live example · checked just now

SSL & registration for stripe.com

See full report →

Certificate

Valid 75 days · DigiCert Inc

Expires Sep 3, 2026

Registration

Registered with SafeNames Ltd. for 30 years. Renews in 447 days.

Renews Sep 11, 2027

What we check

  • Certificate validity Is the cert currently valid and signed by a trusted CA?
  • Certificate expiry How many days until the SSL certificate expires?
  • Chain trust Does the full certificate chain validate to a trusted root?
  • Hostname match Does the cert's Subject Alternative Name cover the domain you checked?
  • Signature algorithm Is the cert using a modern algorithm (e.g. ECDSA, RSA 2048+)?
  • SAN coverage Which hostnames does this certificate cover?
  • Registrar Who the domain is registered with (Cloudflare, MarkMonitor, GoDaddy, …).
  • Registration expiry When the domain registration itself expires — separate from the SSL cert.
  • Registration date When the domain was first registered, surfaced from RDAP.
  • Nameservers Which DNS hosts the registry has on file for the domain.
  • Registry locks Transfer / delete / update locks the registrar or registry has applied.

Common questions

What's the difference between SSL expiry and domain expiry?

They are two unrelated clocks. The SSL certificate is what your browser checks at the TLS handshake — typically valid for 90 days (Let's Encrypt) or up to 13 months (commercial CAs). The domain registration is what you pay your registrar (Cloudflare, GoDaddy, etc.) for — typically renewed once a year. Either one can expire without the other noticing. SSL expiry breaks HTTPS but the site still resolves; domain expiry makes the entire site disappear.

Where does the domain expiry data come from?

RDAP (Registration Data Access Protocol) — the IETF replacement for legacy WHOIS. Each TLD's registry publishes machine-readable JSON; we read what they publish. Most gTLDs (.com, .org, .net, etc.) are fully supported. Many ccTLDs (.se, .io, .uk) don't publish RDAP at all yet — for those, the registration section reports "no RDAP data" and the SSL section still works as usual.

Can a domain expire without me knowing?

Yes — and it happens more often than you'd expect. If the credit card on file expires, the renewal email goes to a defunct mailbox, or the original registrant left the company without handing off the account, a domain can lapse silently. Once expired, the domain enters a 30-day redemption window before being released to the public pool, where drop-catchers can grab it within seconds. The site doesn't just slow down; it stops resolving.

What does this check?

We open a TLS handshake to port 443 of the domain you enter and inspect the certificate the server presents — validity, expiry, issuer chain trust, hostname coverage. Separately, we query the TLD registry over RDAP for the domain's registration record — registrar, registration date, expiry, nameservers, status locks. Two independent reads, one page.

Do you store my domain?

Cached for up to 24 hours to serve repeat lookups quickly. We do not associate the lookup with your identity.

How accurate is it?

The certificate side is the real TLS handshake — same data a browser sees. The registration side is whatever the registry publishes; some registrars update RDAP within minutes of a change, others take hours. Both are cached at the edge but always with the original fetch timestamp so you can see how fresh the data is.

Why does it sometimes say "unreachable"?

The domain may be offline, port 443 may be closed, DNS may not resolve, or a firewall may be blocking our connection. Transient unreachability results are cached for only a few minutes — try rechecking shortly.

What about IDN / Unicode domains?

We accept Unicode domain names and normalize them to their Punycode (ASCII-compatible encoding) form before connecting, which is what TLS and RDAP actually use.

Do you expose registrant personal data?

No. Even when RDAP servers return registrant name, email, phone, or address, we do not surface those fields. This is a deliberate product decision — registrar, expiry, registration date, nameservers, and status flags only.

The full product, opening soon

What else CanaryFleet watches.

The free tools are the public entry points. The rest is being built for agencies running 10–50 client sites.

SSL & domain expiry
You're here

Certificate validity, chain trust, issuer changes, plus registration expiry from RDAP. The two clocks that quietly run out.

Email DNS
Live

MX, SPF, DKIM, DMARC — plus MTA-STS, TLS-RPT, BIMI. Explains what each record actually does, in plain English.

DNS records
Soon

A, AAAA, CNAME, MX, TXT — flagged when they drift, even silently at the registrar.

Security headers
Soon

CSP, HSTS, X-Frame-Options, Referrer-Policy. Watches the entire response, not the homepage.

Uptime & TTFB
Soon

Five regions, every minute. Knows the difference between slow and gone.

AI-discovered synthetic flows
Soon

We crawl the site, write the journeys, run them. Login, checkout, search — without you scripting them.