SSL Checker

{{ endpointsBadgeText }} {{ gradeSpreadBadgeText }} {{ protocolBadgeText }} {{ trustBadgeText }} {{ expiryBadgeText }} {{ actionBadgeText }}

Hostname:

Enter a bare public host such as example.com or api.example.com; omit scheme, path, port, and wildcard.

Scan mode:

Use Fresh after certificate, CDN, load-balancer, or TLS policy changes.

Max cache age:

Accepted range: 1 to 168 hours; smaller values favor current evidence.

hours

Field	Value	Copy
{{ row.label }}	{{ row.value }}

Endpoint	Grade	Protocols	Trust	HSTS	OCSP	Leaf expiry	Issues	Copy
{{ row.endpoint }}	{{ row.grade }}	{{ row.protocols }}	{{ row.trust }}	{{ row.hsts }}	{{ row.ocsp }}	{{ row.leafExpiry }}	{{ row.issues }}

No chartable endpoint grade and expiry pair is available in this SSL Labs response.

Role	Subject	Issuer	Expires	Days	Key	Signature	Signals	Copy
{{ row.role }}	{{ row.subject }}	{{ row.issuer }}	{{ row.expires }}	{{ row.days }}	{{ row.keyProfile }}	{{ row.signature }}	{{ row.signals }}

Endpoint	Trusted	Root stores	Chain	Notes	Copy
{{ row.endpoint }}	{{ row.trusted }}	{{ row.rootStores }}	{{ row.chain }}	{{ row.notes }}

Priority	Signal	Impact	Recommended action	Copy
{{ row.priority }}	{{ row.signal }}	{{ row.impact }}	{{ row.action }}

Embed:

Customize

Include current inputs

Size

Advanced

Width

Height

Aspect ratio

Max height

Collapsible embed

Allow fullscreen

Referrer policy

Sandbox tokens

Browser lock icons hide a long chain of decisions. A public HTTPS connection depends on the hostname reaching the right edge server, that edge presenting the right certificate, the certificate chain ending at a trusted root, and the server refusing protocol versions that modern clients should no longer use. When any one of those parts drifts, visitors may see certificate warnings, automated clients may fail, and operations teams may have to work backward from a vague "SSL issue" report.

SSL is the word many people still use for this check, but modern HTTPS is built on TLS. The difference matters because old SSL versions and early TLS versions are not merely old labels. They represent protocol behavior that current guidance treats as obsolete for public service. A useful public TLS review therefore asks a conservative question: what is the weakest transport evidence returned for the hostname, not what the strongest endpoint can do.

Common TLS posture terms for a public HTTPS hostname
Term	Practical meaning
Hostname	The public name a client connects to, such as `example.com` or `api.example.com`.
Endpoint	One observed edge target for that hostname, often an IP address behind a CDN or load balancer.
Leaf certificate	The certificate served directly for the hostname during the TLS handshake.
Trust path	The chain from the served certificate through intermediates toward a root trusted by clients.
Protocol floor	The oldest SSL or TLS protocol version observed anywhere in the returned endpoint set.

Public TLS checks are most useful after certificate renewals, CDN routing changes, listener policy changes, reverse-proxy migrations, or incident reports that mention "the certificate" without naming the affected edge. The same hostname can return different endpoints over time or from different networks, so a single clean endpoint is not enough evidence for a production host.

Transport posture is also only one part of site security. It can show whether public endpoints present a trusted certificate path, avoid legacy protocol exposure, and keep renewal risk visible, but it does not review application logic, authentication, authorization, private origins, or every geographic route a real user might take.

How to Use This Tool:

Start with one public host and choose how much freshness you need for the decision in front of you.

Enter a bare Hostname, for example example.com or api.example.com. Leave out https://, paths, ports, wildcards, and private-only names.
Choose Cached review when recent SSL Labs evidence is enough. Choose Fresh assessment after a certificate, CDN, load-balancer, or TLS policy change.
If cached mode is selected, set Max cache age between 1 and 168 hours. Lower values reduce stale evidence at the cost of more waiting.
Run Check SSL. If validation asks for one valid hostname, simplify the input until it is only the public host name.
Read Edge Brief before opening the detail tabs. It gives the assessed host, scan mode, SSL Labs status, endpoint count, grade spread, protocol floor, trusted endpoint count, earliest leaf expiry, and certificate count.
Use Endpoint Ledger to find edge drift, Certificate Ledger to inspect served certificates, Trust Paths to locate chain acceptance problems, and Fix Queue to decide what to repair first.
Open TLS Edge Risk Map when the response includes both grade and expiry data. The map is useful for spotting endpoints with low grades, short renewal windows, or a larger issue count.

Interpreting Results:

The summary is intentionally conservative. A result headed HTTPS posture needs action means at least one critical signal was found, while HTTPS posture needs review means high-priority work such as renewal risk or legacy protocol exposure is present. HTTPS posture ready means the returned evidence did not produce an immediate action item under the current scan mode.

The large grade uses the weakest known endpoint grade rather than the best endpoint grade. That choice prevents one strong edge from hiding another edge that still has an untrusted chain, a legacy protocol, or a severe SSL Labs grade.

How to read SSL checker summary fields
Output	What it means	What to verify next
Grade spread	The best and worst returned endpoint grades.	Open Endpoint Ledger if the grades differ.
Protocol floor	The oldest SSL or TLS version observed on any endpoint.	Treat SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1 as legacy exposure.
Trust count	How many endpoints showed a clearly trusted path.	Use Trust Paths when the count is not equal to the endpoint count.
Leaf expiry	The earliest served leaf certificate deadline found in the endpoint set.	Repair immediately when it is expired, and plan renewal work when it is 30 days or less.
Queue count	The number of prioritized follow-up rows.	Start with Critical and High rows before treating Medium rows as cleanup.

HSTS and OCSP rows are endpoint observations, not proof that the certificate itself is good or bad. A missing HSTS policy points to HTTP response behavior. Missing OCSP stapling points to revocation-status behavior during the TLS handshake.

A good result should still be treated as a point-in-time external assessment. Re-run a fresh scan after fixes, check the edge that produced the warning, and remember that the returned evidence does not cover private services, every DNS path, or application-level vulnerabilities.

Technical Details:

A public TLS assessment combines name resolution, endpoint discovery, certificate path evaluation, protocol negotiation, and vulnerability checks. The server certificate is only one part of the answer. A host can serve a valid leaf certificate and still fail operational review because one endpoint offers an obsolete protocol, omits a necessary intermediate, staples no revocation status, or differs from the rest of the edge set.

The checker submits the entered public hostname for an SSL Labs assessment and waits until a ready result is available. Cached mode can reuse a result within the selected age window. Fresh mode requests a new assessment and waits while SSL Labs resolves the host, tests endpoints, and returns certificate, chain, protocol, HSTS, OCSP, grade, and vulnerability evidence.

Aggregation Rules:

Endpoint detail becomes host-level signals by choosing conservative values where a weak edge matters. The worst returned grade becomes the headline figure, the oldest observed protocol becomes the protocol floor, and the earliest leaf certificate deadline drives the renewal warning.

leaf_expiry_days = ceil((not_after_time_ms - current_time_ms) / 86,400,000)

That upward rounding means a certificate expiring later today can still show a small remaining window instead of dropping to zero too early. The 30-day renewal warning is an operational threshold used for triage, not a statement about the maximum certificate lifetime allowed by public certificate rules.

Fix queue priority rules for SSL checker results
Priority	Trigger	Operational response
Critical	Known TLS vulnerability signal, missing trusted path coverage, or an already expired leaf certificate.	Repair before accepting the host as healthy, then run a fresh assessment.
High	SSL or pre-TLS 1.2 protocol exposure, or earliest leaf expiry at 30 days or less.	Align listener policy or renewal deployment promptly.
Medium	Missing HSTS, missing OCSP stapling, or differing endpoint grades.	Use the endpoint tables to remove drift and harden browser-facing behavior.
Info	No immediate deployment gap found in the current returned evidence.	Keep scheduled fresh checks so future edge drift is caught early.

The named vulnerability signals include Heartbleed, FREAK, Logjam, POODLE, Ticketbleed, and Bleichenbacher-style findings when SSL Labs reports them. These signals are treated as critical because they usually call for listener, library, or policy repair rather than simple copy review.

Chart Scoring:

TLS Edge Risk Map places each chartable endpoint by leaf expiry days on the horizontal axis and a numeric grade score on the vertical axis. The score is only a chart placement aid. The letter grade remains the readable SSL Labs result.

Grade score mapping used by TLS Edge Risk Map
Grade	Chart score	Meaning on the map
A+	100	Strongest returned grade position.
A / A-	96 / 92	Modern posture with smaller differences still visible.
B / C / D	84 / 74 / 64	Middle positions for degraded but not lowest outcomes.
E / F / T / M	54 / 44 / 34 / 24	Lower positions for severe, trust-related, or mismatch outcomes.

Certificate rows classify returned certificates as leaf, intermediate, or root based on where they appear in the observed chain and whether the subject and issuer match. Trust-path rows stay separate because serving a certificate and building a trusted path to a root store are different facts. Certificate Transparency and Certification Authority Authorization signals can appear in the certificate ledger when the returned certificate data includes them.

Current public HTTPS operations generally center on TLS 1.2 and TLS 1.3. TLS 1.0 and TLS 1.1 have been formally deprecated, and SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1 are treated here as legacy protocol exposure. Public server-certificate lifetime rules are separate from this checker, but as of 15 March 2026 newly issued public TLS subscriber certificates are in a shorter validity period than the old 398-day era, so missed renewal deployment across edges is becoming easier to notice and harder to postpone.

Privacy and Accuracy Notes:

This check is not local-only. The public hostname is sent for an SSL Labs assessment, and the result reflects what that external service can observe at the time of the run.

Use public hostnames only. Internal-only services, private DNS names, and sensitive unpublished hosts are not a good fit.
Cached evidence can be stale within the chosen max-age window. Use Fresh assessment after repair or deployment work.
DNS behavior, CDN routing, external reachability, provider queueing, and rate limits can affect completion time and endpoint coverage.
The JSON export can include returned assessment detail, so review it before sharing outside your team.
A transport check does not validate application code, account security, authorization rules, payment flows, or private origin configuration.

Worked Examples:

A CDN policy update missed one edge. The summary shows a grade spread instead of a single aligned grade, and Protocol floor reports TLS 1.0. Endpoint Ledger identifies the endpoint still offering the legacy protocol. Update that listener policy, then run Fresh assessment to confirm the floor moved back to TLS 1.2 or TLS 1.3.

A renewal reached the origin but not every endpoint. The browser warning is intermittent, and Leaf expiry still shows 30 days or less after the certificate was renewed. Certificate Ledger can show whether old and new leaf certificates are both being served, while Endpoint Ledger points to the edge that still needs the new certificate.

A chain change created client-specific failures. Some clients connect cleanly while others report trust problems. A trust count below the endpoint count means at least one observed path was not accepted in the returned trust evidence. Open Trust Paths, repair the served intermediate chain on the affected edge, and recheck with a fresh assessment.

FAQ:

Do I enter a URL or just the host?

Enter only the host, such as example.com. The validation rejects schemes, paths, ports, wildcards, and malformed hostnames.

When should I use Fresh assessment instead of Cached review?

Use Fresh assessment after certificate renewal, CDN changes, load-balancer changes, listener policy changes, or any fix where a recent cached result could hide the current state.

Can this check an internal service?

No. The assessment depends on public reachability by SSL Labs, so private hostnames and internal-only services are outside its useful scope.

Why is the headline grade lower than one endpoint grade?

The headline uses the weakest returned endpoint grade. A hostname is only as reliable as the edge a real client reaches, so the summary does not average away a weak endpoint.

Why is the TLS Edge Risk Map empty?

The chart needs both a recognized grade and a leaf expiry value for each plotted endpoint. Some SSL Labs responses do not include enough data for chart placement.

What do HSTS and OCSP mean in the result?

HSTS is a browser policy that tells clients to use HTTPS for the host. OCSP stapling is revocation-status evidence sent by the server during the TLS handshake.

Does a clean TLS result prove the site is secure?

No. It means the returned public TLS evidence did not produce an immediate transport finding. Application behavior, identity, authorization, data handling, and private infrastructure still require separate review.

Glossary:

TLS: The modern transport security protocol family used by HTTPS connections.
SSL: The older name still commonly used for HTTPS certificate and transport checks.
Endpoint: One observed target serving the hostname, usually an IP address and sometimes an associated server name.
Leaf certificate: The end-entity certificate presented directly for the hostname.
Certificate chain: The ordered set of certificates that connects the served leaf certificate toward a trusted root.
Trust path: A certificate path that a root store can accept as trusted.
Protocol floor: The oldest protocol version observed among the returned endpoints.
HSTS: HTTP Strict Transport Security, a response policy that tells browsers to prefer HTTPS for the host.
OCSP stapling: A TLS feature where the server sends certificate revocation-status evidence during the handshake.

References:

SSL Labs API v3 Documentation, Qualys SSL Labs.
RFC 8446: The Transport Layer Security Protocol Version 1.3, IETF.
RFC 8996: Deprecating TLS 1.0 and TLS 1.1, IETF.
NIST SP 800-52 Rev. 2, National Institute of Standards and Technology.
TLS Baseline Requirements, CA/Browser Forum.
RFC 5280: Internet X.509 Public Key Infrastructure Certificate and CRL Profile, IETF.
RFC 6797: HTTP Strict Transport Security, IETF.
RFC 6066: TLS Extension Definitions, IETF.