SSL Checker

{{ endpointsBadgeText }} {{ gradeSpreadBadgeText }} {{ protocolBadgeText }} {{ trustBadgeText }} {{ expiryBadgeText }} {{ actionBadgeText }}

Hostname:

Enter a bare public host such as example.com or api.example.com; omit scheme, path, port, and wildcard.

Scan mode:

Use Fresh after certificate, CDN, load-balancer, or TLS policy changes.

Max cache age:

Accepted range: 1 to 168 hours; smaller values favor current evidence.

hours

Field	Value	Copy
{{ row.label }}	{{ row.value }}

Endpoint	Grade	Protocols	Trust	HSTS	OCSP	Leaf expiry	Issues	Copy
{{ row.endpoint }}	{{ row.grade }}	{{ row.protocols }}	{{ row.trust }}	{{ row.hsts }}	{{ row.ocsp }}	{{ row.leafExpiry }}	{{ row.issues }}

No chartable endpoint grade and expiry pair is available in this SSL Labs response.

Role	Subject	Issuer	Expires	Days	Key	Signature	Signals	Copy
{{ row.role }}	{{ row.subject }}	{{ row.issuer }}	{{ row.expires }}	{{ row.days }}	{{ row.keyProfile }}	{{ row.signature }}	{{ row.signals }}

Endpoint	Trusted	Root stores	Chain	Notes	Copy
{{ row.endpoint }}	{{ row.trusted }}	{{ row.rootStores }}	{{ row.chain }}	{{ row.notes }}

Priority	Signal	Impact	Recommended action	Copy
{{ row.priority }}	{{ row.signal }}	{{ row.impact }}	{{ row.action }}

Export to PDF Fullscreen

Embed:

Customize

Include current inputs

Size

Advanced

Width

Height

Aspect ratio

Max height

Collapsible embed

Allow fullscreen

Referrer policy

Sandbox tokens

HTTPS can look calm in the browser bar and still be uneven underneath. One hostname may terminate on several edge IPs, and each endpoint can serve a different certificate chain, protocol set, or transport policy. This checker is built for that public-facing problem. It scans one hostname and turns the returned assessment into a host summary, an endpoint ledger, a certificate ledger, a trust-path view, and a prioritized fix queue.

That makes it useful after certificate renewals, CDN or load-balancer changes, reverse-proxy migrations, or any alert that mentions TLS without showing the exact cause. The summary badges give a quick read of the worst observed grade, the grade spread across endpoints, the lowest protocol version still offered, trust coverage, the earliest leaf expiry, and how many follow-up items were raised. From there you can tell whether the problem is a single lagging edge, a chain issue, an outdated protocol policy, or a near-term renewal risk.

The tool name keeps the familiar SSL search term, but the assessment itself is about current TLS behavior on public HTTPS services. It reports what the external analyzer could observe for the hostname at that moment, including certificate timing, trust paths, protocol coverage, HSTS, OCSP stapling, and named vulnerability signals. It is therefore best for public endpoints that the analyzer can reach, not private services that live only inside your network.

The check is not browser-local. The hostname is sent to the site relay and then to SSL Labs so a public assessment can run. The request is marked as non-published, but you should still treat the hostname as disclosed to an external scanning service. If you need a confidential internal-only review, use an internal scanner instead.

Technical Details

The tool accepts one hostname, validates its format, and then asks for either a cached review or a fresh assessment. Cached mode can reuse a recent SSL Labs result up to the selected maximum age of 1 to 168 hours. Fresh mode starts a new assessment. The page then polls until the assessment reaches a ready state, updating the loading message while endpoint checks finish in the background.

The scan is allowed to continue even if the served certificate name does not match the requested hostname. That matters during incident work because you can still inspect the chain, expiry dates, protocol mix, and vulnerability flags instead of stopping at the first mismatch. Once the assessment is ready, the tool breaks the response into separate evidence views rather than flattening everything into one opaque score.

Hostname

One public host

→

Assessment

Cached or fresh SSL Labs run

→

Endpoint Rollup

Worst grade, protocol floor, earliest expiry

→

Evidence Views

Ledgers, trust paths, fix queue, and JSON export

Host-level rollup rules used by the SSL checker
Signal	How the tool builds it	How to read it
Summary grade	The worst endpoint grade found in the returned assessment.	A conservative warning signal, not a weighted average across traffic or regions.
Grade spread	The best endpoint grade and the worst endpoint grade shown as a range.	A quick way to spot rollout drift across edges.
Protocol floor	The lowest protocol version observed anywhere in the endpoint set.	If the floor is legacy, at least one edge still offers an outdated listener policy.
Trust coverage	The number of endpoints with at least one trusted path divided by total endpoints.	Anything below full coverage means at least one edge still needs chain work or clearer trust evidence.
Leaf expiry	The earliest remaining lifetime among the observed leaf certificates.	One short-lived edge certificate is enough to create a real renewal risk.
Fix queue	Prioritized actions derived from vulnerability flags, trust gaps, legacy protocols, expiry pressure, missing HSTS, missing OCSP stapling, and endpoint drift.	Read this as an operations triage list, with the most urgent transport problems first.

Primary evidence views in the SSL checker
View	What it answers	Export options
Edge Brief	What was checked, when it was checked, how many endpoints were seen, and whether the host looks steady or needs work.	No file export on this tab.
Endpoint Ledger	Which endpoint is weaker, which protocols it offers, whether HSTS and OCSP stapling were seen, and which issues were attached to that edge.	Copy CSV, download CSV, export DOCX.
Certificate Ledger	Which certificates act as leaf, intermediate, or root, plus issuer, expiry, key profile, signature, and extra signals.	Copy CSV, download CSV, export DOCX.
Trust Paths	Whether a path was trusted, which root stores accepted it, and what chain was presented for each endpoint.	Copy CSV, download CSV, export DOCX.
Fix Queue	What to fix first and why the tool assigned that priority.	Copy CSV, download CSV, export DOCX.
JSON	The assessment payload used to build the ledgers.	Copy JSON or download JSON.

The certificate ledger adds a small amount of interpretation on top of the returned data. Rows are labeled as leaf, intermediate, or root based on their role in the observed chains. The CT signal means SSL Labs reported Signed Certificate Timestamps for that certificate, and CAA means SSL Labs reported DNS Certification Authority Authorization coverage. Trust paths stay separate from the certificate list so you can see the difference between what was served and what root stores accepted.

Everyday Use & Decision Guide

Start with a cached review when you are checking a host you inspected recently, confirming a known state, or triaging an alert without waiting for a full fresh run. Switch to a fresh assessment after certificate deployment, load-balancer policy changes, new CDN routing, or any fix where old assessment data could hide the real result. The fresh path takes longer, but it is the right choice when timing matters more than speed.

The normal reading order is Edge Brief first, then whichever detailed ledger matches the question in front of you. If the summary grade is lower than expected, look at Endpoint Ledger before anything else. If the grade spread is wide, one edge is usually lagging behind the rest. If trust coverage is incomplete, go straight to Trust Paths. If the earliest leaf expiry looks close, open Certificate Ledger and identify the exact certificate that will age out first.

The Fix Queue is most useful when you need to turn scan evidence into work. It does not just say that the host has an issue. It spells out the likely impact and the next corrective step, which is often enough to start an operations ticket or a handoff note without rewriting the assessment by hand.

Which SSL checker view to open first
If you need to know	Open this view first	Why
Did every edge get the same rollout?	Endpoint Ledger	It shows the per-endpoint grade, protocols, trust state, HSTS, OCSP stapling, expiry horizon, and issue summary.
Which certificate will become a problem first?	Certificate Ledger	It lists expiry dates and remaining days for each observed certificate.
Is the served chain trusted everywhere the scan checked?	Trust Paths	It shows accepted root stores, path trust, and chain notes per endpoint.
What should operations fix first?	Fix Queue	The priorities are already sorted from critical transport problems down to routine follow-up.
Do I need raw evidence for a ticket or archive?	JSON	You can copy or download the full assessment payload instead of retyping table rows.

Step-by-Step Guide

Enter a bare hostname such as example.com or api.example.com, not a full URL and not a wildcard.
Choose Cached review for a recent known state or Fresh assessment when you need a new external check.
If you stay in cached mode, set the maximum cache age in hours.
Run the check and wait for the endpoint progress to finish.
Read Edge Brief for the host-level summary and the main warning message.
Open the detailed ledger that matches the issue you are chasing: endpoint drift, certificate timing, trust paths, or fix priority.
Export CSV, DOCX, or JSON when the result needs to move into a ticket, report, or handoff.

Interpreting Results

The headline grade is intentionally strict. It shows the weakest grade that appeared across the returned endpoints. That is the right choice for operational work because one weak edge can still break real traffic, even when the rest of the fleet looks fine. The grade spread badge is the companion signal. A narrow spread suggests a consistent rollout. A wide spread usually means the hostname is hiding uneven listener policy, uneven certificate deployment, or both.

The protocol badge tells a similar story. It does not celebrate the newest protocol observed anywhere. It reports the lowest protocol version still offered anywhere. That means a host can show modern support and still carry a risky protocol floor if one endpoint was left behind. In the same way, trust coverage is not about whether any trusted path exists somewhere. It is the count of endpoints that exposed at least one trusted path, so anything below full coverage deserves follow-up.

The expiry badge is also pessimistic on purpose. It tracks the earliest leaf-certificate deadline across the observed endpoints. This is the right number for renewal planning because a single forgotten edge certificate can create a visible outage. HSTS and OCSP stapling should be read as observed endpoint behavior rather than certificate properties. Missing HSTS usually points to response-header policy, while missing stapling points to certificate-status delivery during the handshake.

The Fix Queue turns those signals into action priorities. Critical rows are reserved for named vulnerability signals, missing trust coverage, or already expired leaf certificates. High priority appears for legacy protocol exposure and certificates that expire within 30 days. Medium priority is used for missing HSTS, missing OCSP stapling, or endpoint drift. If none of those conditions are present, the queue falls back to a single informational row that marks the current posture as stable.

Worked Examples

Catching one lagging edge after a CDN change

A hostname resolves to several edge IPs after a routing update. The summary shows a wide grade spread and a legacy protocol floor. In Endpoint Ledger, one IP still offers TLS 1.0 while the others do not. That tells you the issue is not the certificate itself. One edge listener simply did not receive the new policy.

Checking whether a renewal really reached every endpoint

You run a cached review first and then a fresh assessment after a new certificate was deployed. The expiry badge changes, but Trust Paths still shows one endpoint without a trusted path. Certificate Ledger confirms that the new leaf certificate is present, yet the chain is not consistent everywhere. The renewal happened, but the full chain rollout did not.

Explaining why browser reports felt inconsistent

Users in one region report certificate warnings while others do not. The summary grade is worse than expected, and trust coverage is not full. Trust Paths shows that one endpoint presents a different chain and is not trusted across the listed root stores. That gives you a concrete explanation for the mixed client reports and a clear fix target.

FAQ:

Do I enter a URL or just the host name?

Enter the hostname only. A full URL with a scheme and path, or a wildcard name, will not pass validation.

Can this check a private host or an internal-only service?

Usually no. The assessment depends on SSL Labs reaching the host from the public internet, so internal-only names and private services are not a good fit.

When should I use a fresh assessment instead of cached review?

Use fresh assessment after certificate changes, listener-policy changes, proxy migrations, or any fix where a recent cached result could mislead you.

Can the scan still help if the wrong certificate is installed?

Yes. The assessment is allowed to continue through a hostname mismatch so you can still inspect chain, protocol, expiry, and trust evidence.

Does a good result here prove the whole site is secure?

No. This is a transport-security assessment for the scanned hostname and returned endpoints. It does not review application logic, access control, or content security.

What do CT and CAA mean in the certificate ledger?

CT means the scan reported Signed Certificate Timestamps. CAA means the scan reported DNS Certification Authority Authorization coverage for the domain context.

Glossary:

Endpoint: One IP-level target returned for the hostname under test.
Leaf certificate: The end-entity certificate served directly to clients for the hostname.
Trust path: The certificate chain a client can validate from the served leaf certificate back to a trusted root.
HSTS: A browser policy that tells clients to prefer HTTPS for the host after they have seen the rule.
OCSP stapling: Certificate-status data attached by the server during the TLS handshake.
CT: Certificate Transparency, a way to record publicly trusted certificates in append-only logs.
CAA: Certification Authority Authorization, a DNS policy that limits which certificate authorities may issue for a domain.

References:

SSL Server Test, Qualys SSL Labs.
SSL Labs APIs, Qualys SSL Labs.
RFC 8446: The Transport Layer Security (TLS) Protocol Version 1.3, IETF.
RFC 8996: Deprecating TLS 1.0 and TLS 1.1, IETF.
RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile, IETF.
RFC 6797: HTTP Strict Transport Security (HSTS), IETF.
RFC 6066: Transport Layer Security (TLS) Extensions, IETF.
RFC 8659: DNS Certification Authority Authorization (CAA) Resource Record, IETF.
RFC 9162: Certificate Transparency Version 2.0, IETF.