Secure Sockets Layer (SSL) Checker

Completed ~ {{ finish_time_local }}

{{ hostDisplay }} {{ ipSummary }} {{ tls13Label }} {{ fsLabel }} {{ ocspLabel }} {{ hstsLabel }} {{ vulnLabel }} Expires in {{ daysLeft }} d

Domain:

Mode:

Max cache age:

hours

Fetch full endpoint details:

Field	Value	Copy
{{ row.k }}	{{ row.v }}

IP	Grade	TLS 1.3	Forward Secrecy	OCSP	HSTS	Vulnerabilities	Copy
{{ ep.ip }}	{{ ep.grade \|\| '—' }}	{{ ep.tls13 ? 'Yes' : 'No' }}	{{ ep.fs ? 'Yes' : 'No' }}	{{ ep.ocsp ? 'Yes' : 'No' }}	{{ ep.hsts ? 'Yes' : 'No' }}	{{ ep.vulns ? ep.vulns : 'None' }}
No endpoint data.

Endpoint:

Field	Value	Copy
{{ row.k }}	{{ row.v }}
No certificate data.

Endpoint:

#	Subject	Issuer	Not Before	Not After	Copy
{{ idx + 1 }}	{{ c.subject }}	{{ c.issuer }}	{{ c.notBefore }}	{{ c.notAfter }}
No chain data.

Endpoint:

Protocol	Cipher Suite	Key Exchange	Strength	Copy
{{ r.protocol }}	{{ r.cipher }}	{{ r.kx }}	{{ r.strength }}
No protocol data.

Tags: Devops , Diagnostics , HTTP , Networking , PKI , Security

Export to PDF Fullscreen

Include query parameters

Embed:

Customize embed code

Include query parameters

Wrap embed in collapsible toggle

Collapse panel by default

Hide card frame (bare iframe)

Loading behavior

Width

Height

Aspect ratio (width : height)

Max height (optional)

Collapsible heading

Collapsible description (optional)

Allow fullscreen

Referrer policy

Sandbox tokens

Website certificates are the digital credentials that let a browser start a private connection and display the padlock with confidence. A website ssl certificate checker helps you confirm that configuration choices line up with expected security posture before you trust changes or investigate errors.

You get a concise grade for each reachable server and one headline grade that summarizes the set. Alongside the grades you see when the certificate expires, whether modern connection standards are supported, and whether common weaknesses appear in the scan.

Enter a single hostname and run a check. The scan queries the target, collects certificate facts, notes supported protocol versions, and lists the suites those servers advertise. It also records forward secrecy, stapled status responses, and a strict transport policy when present so you can spot gaps quickly and act with context.

Use it when renewing a certificate, rolling out a new endpoint, or comparing infrastructure changes. If a result seems out of character, recheck later so transient routing or cache effects do not mislead your decision.

Grades and flags describe configuration only and do not speak to business reputation or content safety. Avoid pasting secrets, and prefer test hosts for experiments.

Technical Details:

Transport Layer Security (TLS) protects data in transit between a client and a server. The scan observes what each server endpoint advertises during connection setup: certificate identity and lifetime, supported protocol versions, offered cipher suites, forward secrecy capability, stapled status responses, and strict transport policy signals.

The report computes an overall grade label by alphabetically sorting the endpoint grades and selecting the first label in that order. It also derives a single “days to expiry” value by taking the smallest remaining lifetime across endpoints so the earliest renewal risk is visible.

Endpoint results include vulnerability flags when the remote analyzer reports known issues. Labels indicate whether at least one endpoint supports modern protocol versions, forward secrecy, stapled responses, and strict transport policy.

Comparability depends on mode. A cache‑friendly run accepts recently cached analysis up to the maximum age you choose, which improves repeatability across close‑in time. A deep run requests a fresh analysis and may take longer to complete.

\begin{matrix} D & = & ceil (\frac{t {end}_{\min} - t {now}_{local}}{86400000}) \end{matrix}

Symbols and units for the calculation
Symbol	Meaning	Unit/Datatype	Source
D	Days to certificate expiry across all endpoints (minimum)	days (integer, ceil)	Derived
$t_{end min}$	Earliest certificate “Not After” timestamp over endpoints	ms since epoch	Endpoint data
$t_{now local}$	Current time on the client	ms since epoch	Client clock

Worked example. If the earliest “Not After” is 1 700 000 000 000 ms and the current time is 1 699 136 000 000 ms, the difference is 864 000 000 ms. Dividing by 86 400 000 and taking the ceiling gives 10 days. Near zero indicates urgent renewal.

Validate the hostname as a single label set (no wildcards or paths).
Build a scan request with publish=off and mismatch ignored to focus on configuration.
Optionally request cached analysis when in cache‑friendly mode, respecting the chosen maximum age.
Optionally force a new analysis when in deep mode.
Poll the analyzer until a ready status or an error outcome appears.
Render per‑endpoint tables, grades, protocol coverage, and cipher suite rows.
Compute grade counts for display and pick the alphabetically first label as the overall grade.
Derive flags for modern protocol support, forward secrecy, stapled responses, and strict transport policy.
Expose raw JSON and compact CSV exports for downstream use.

Constants and flags used in the report
Constant	Value	Notes
Grade labels (order for counts)	A+, A, A‑, B, C, D, E, F, T, M	Overall grade is alphabetical first across endpoints, not a weighted score.
Vulnerability flags	Heartbleed, POODLE, POODLE TLS, FREAK, Logjam, DROWN, ROBOT, Zombie POODLE, GOLDENDOODLE, Ticketbleed, Bleichenbacher, RC4	Shown when reported by the analyzer for an endpoint.
Poll delay	3 000 ms	Up to 120 attempts per run.
Request timeout	25 000 ms	Per fetch attempt via public CORS proxies.

Validation and bounds enforced by the UI
Field	Type	Min	Max	Step/Pattern	Error Text	Placeholder
Domain	Text	1	253	`^(?=.{1,253}$)(?!-)[A-Za-z0-9-]{1,63}(?<!-)(\.(?!-)[A-Za-z0-9-]{1,63}(?<!-))*$`	“Enter a domain.” · “Enter a valid hostname (e.g., example.com).”	example.com
Mode	Select	—	—	fast · deep	—	—
Max cache age	Number (hours)	1	—	step 1	—	—
Fetch full endpoint details	Boolean	—	—	on/off	—	—

Input and output formats
Input	Accepted Families	Output	Encoding/Precision	Rounding
Hostname	ASCII labels only; no wildcards	Tables, badges, charts, JSON, CSV	UTF‑8 text; numbers as shown	Expiry uses ceiling to whole days

Networking & storage behavior. The scan runs in the client and sends the hostname to a public analyzer service using cross‑origin proxy fetches. Results are rendered locally; copying and downloads occur on the client. No server operated by this page stores your inputs.

Diagnostics & determinism. Identical inputs can yield different outputs when cache settings differ or when the upstream service updates its data. The overall grade is derived by alphabetical order and is not a statistical average.

Assumptions & limitations

Single hostname only; subpaths and schemes are rejected.
Internationalized names with non‑ASCII characters are not accepted.
Overall grade is the alphabetical first label, not the worst‑case grade.
Expiry relies on the client clock; skew changes the day count. Heads‑up
Protocol and suite counts reflect availability, not throughput or preference order.
Vulnerability flags show what the analyzer reports; absence is not proof of safety.
Strict transport policy is inferred from the analyzer’s policy field when present.
Stapled status is reported as present only for positive signals.
Cache mode may surface stale data within the chosen age window.
Deep mode may take significantly longer than cache mode.

Edge cases & error sources

Trailing dots in hostnames are rejected by validation.
Underscores or wildcards cause input validation to fail.
Analyzer unreachable or proxy failure returns a generic scan failure.
Timeouts during fetch lead to retries through alternative proxies.
Non‑JSON responses cause parsing failure and a scan error.
Endpoints without certificates yield blank certificate rows.
Missing “Not After” produces no expiry and no badge.
Clock skew can display negative or off‑by‑one expiry days.
Large endpoint sets may delay chart rendering on low‑power devices.
Grades outside the known set display as “Unknown” in counts.
Policy or staple indicators may be absent even on secure deployments.
Locale differences change date formatting in rendered timestamps.

Privacy & compliance. The hostname you provide is sent to a third‑party analyzer to generate results. No data is stored by this page beyond your current session.

Step‑by‑Step Guide:

Certificate and protocol checks produce a quick security snapshot of a hostname and its reachable servers.

Enter the target Hostname such as example.com.
Choose Mode: cache‑friendly or deep.
If cache‑friendly, set Max cache age in hours.
Toggle Fetch full endpoint details to include suites and chains.
Start the check and wait for the ready status.
Review grades, expiry, flags, and per‑endpoint details; export JSON or CSV if needed.

Example: example.com in deep mode with full details shows a certificate chain, TLS version coverage, and a single overall grade.

Use deep mode when changing ciphers or policies.
Use cache‑friendly mode for frequent spot checks.

You now have an actionable profile of the site’s certificate and protocol posture.

FAQ:

Is my data stored?

No storage occurs on this page. The hostname is sent to a public analyzer to produce the report. Results render in the client.

Requests use a “do not publish” flag.

How accurate is the grade?

Grades come from the analyzer’s model. The overall grade shown here is the first label in alphabetical order across endpoints.

What does “borderline” look like?

A short “days to expiry” value, missing modern protocol support, or multiple vulnerability flags usually signals priority follow‑up.

Which units and formats are used?

Expiry is in whole days, dates use your locale, and JSON/CSV exports present text and numbers exactly as displayed.

Can I scan a wildcard domain?

No. Input must be a literal hostname. Wildcards, paths, schemes, and ports are not accepted by validation.

Does this work offline?

No. The analyzer is queried over the network. If the service is unavailable, the scan fails and you can retry later.

How do I validate a CSR?

This tool assesses deployed hosts. It does not parse or validate certificate signing requests.

Why is the expiry blank?

If an endpoint lacks certificate timing data or the client clock is skewed, the display may be empty or show unusual values.

What do T or M grades mean?

They are labels from the analyzer’s grade set. No extra meaning is defined here beyond their presence in results.

Troubleshooting:

“Enter a domain.” — supply a hostname.
“Enter a valid hostname” — remove schemes, ports, or wildcards.
Scan failed — switch modes or retry; the analyzer may be busy.
Empty protocol chart — fetch full details and recheck.
Wrong dates — verify the device clock and timezone.
Missing endpoints — confirm the hostname resolves publicly.
Copy/export issues — try again after results render fully.

If both cache‑friendly and deep modes fail repeatedly, network or analyzer outages are likely. Wait and retry.

Advanced Tips:

Tip Keep the cache window short during migrations to avoid stale summaries.
Tip Use deep mode after rotating keys or changing cipher policy.
Tip Compare grade distributions across endpoints to spot uneven rollouts.
Tip Treat any vulnerability flag as a reason to review server defaults.
Tip Track the earliest expiry day to plan renewals without rush.
Tip Export JSON after a deep run to preserve a point‑in‑time snapshot.

For consistency, test at similar times of day and from the same network.

Glossary:

Endpoint: A single server IP where the hostname resolves.
Cipher suite: Named set of algorithms a server offers for secure sessions.
Forward secrecy: Property that keeps past sessions safe even if keys leak later.
Stapling: A server‑provided status response attached to its certificate.
Strict transport policy: A signal asking browsers to use secure transport only.
Expiry: The last valid moment of a certificate’s lifetime.

Secure Sockets Layer (SSL) Checker

{{ summaryTitle }}

Introduction:

Technical Details:

Step‑by‑Step Guide:

FAQ:

Troubleshooting:

Advanced Tips:

Glossary: