SSL Checker

{{ endpointsBadgeText }} {{ gradeSpreadBadgeText }} {{ protocolBadgeText }} {{ trustBadgeText }} {{ expiryBadgeText }} {{ actionBadgeText }}

Hostname:

Enter a bare public host such as example.com or api.example.com; omit scheme, path, port, and wildcard.

Scan mode:

Use Fresh after certificate, CDN, load-balancer, or TLS policy changes.

Max cache age:

Accepted range: 1 to 168 hours; smaller values favor current evidence.

hours

Field	Value	Copy
{{ row.label }}	{{ row.value }}

Endpoint	Grade	Protocols	Trust	HSTS	OCSP	Leaf expiry	Issues	Copy
{{ row.endpoint }}	{{ row.grade }}	{{ row.protocols }}	{{ row.trust }}	{{ row.hsts }}	{{ row.ocsp }}	{{ row.leafExpiry }}	{{ row.issues }}

No chartable endpoint grade and expiry pair is available in this SSL Labs response.

Role	Subject	Issuer	Expires	Days	Key	Signature	Signals	Copy
{{ row.role }}	{{ row.subject }}	{{ row.issuer }}	{{ row.expires }}	{{ row.days }}	{{ row.keyProfile }}	{{ row.signature }}	{{ row.signals }}

Endpoint	Trusted	Root stores	Chain	Notes	Copy
{{ row.endpoint }}	{{ row.trusted }}	{{ row.rootStores }}	{{ row.chain }}	{{ row.notes }}

Priority	Signal	Impact	Recommended action	Copy
{{ row.priority }}	{{ row.signal }}	{{ row.impact }}	{{ row.action }}

Embed:

Customize

Include current inputs

Size

Advanced

Width

Height

Aspect ratio

Max height

Collapsible embed

Allow fullscreen

Referrer policy

Sandbox tokens

A public HTTPS hostname can look healthy from one browser and still be broken for another client. The name may resolve to several edge endpoints, each endpoint can serve a different certificate chain, and older protocol settings can linger on one load balancer after the rest of the fleet has moved on. That is why a useful SSL check looks past the browser lock icon and reviews the weakest public evidence returned for the host.

SSL remains the common search term, but modern HTTPS uses TLS. The distinction matters because SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1 are obsolete for public services. A hostname that still exposes one of those versions is carrying legacy transport risk even if another endpoint for the same name negotiates TLS 1.3 and shows a strong certificate.

Public TLS posture terms
Term	Plain meaning	Why it changes the result
Hostname	The public name clients use, such as `example.com` or `api.example.com`.	The certificate, DNS routing, and Server Name Indication all depend on the exact name.
Endpoint	One observed edge target for that hostname, often an IP address behind a CDN or load balancer.	Different endpoints can expose different grades, protocols, chains, or certificate expiry dates.
Leaf certificate	The certificate served directly for the hostname during the TLS handshake.	An expired, mismatched, or unevenly deployed leaf certificate can break real clients.
Trust path	The chain from the leaf through intermediates toward a trusted root store.	Missing or rejected intermediates can create trust failures even when the leaf certificate text looks right.
Protocol floor	The oldest SSL or TLS version seen anywhere in the endpoint set.	The oldest enabled version often reveals the edge that still needs listener-policy work.

Public TLS reviews are especially useful after certificate renewal, CDN routing changes, reverse-proxy moves, load-balancer policy updates, or incident reports that describe a vague "SSL problem." A single clean browser test may hit only one endpoint. External assessment evidence helps show whether the same hostname is consistent across the returned edge set.

Transport posture is not the same as full application security. A clean TLS result can show that public endpoints present trusted chains, avoid legacy protocol exposure, and keep renewal risk visible. It does not audit application code, authentication, authorization, payment flows, private origins, or every network path a visitor might take.

How to Use This Tool:

Start with one public hostname and choose the scan freshness that matches the change you are checking.

Enter a bare Hostname, such as example.com or api.example.com. Do not include https://, paths, ports, wildcards, or private-only names.
Choose Cached review when recent SSL Labs evidence is enough for a routine check. Choose Fresh assessment after certificate, CDN, load-balancer, listener-policy, or chain changes.
In cached mode, set Max cache age from 1 to 168 hours. Smaller values reduce stale evidence, while larger values usually return faster if SSL Labs already has a usable report.
Run Check SSL. If the form asks for a valid hostname, simplify the input until it is only the public host name.
Read Edge Brief first. It shows the assessed host, scan mode, SSL Labs status, endpoint count, grade spread, protocol floor, trust count, earliest leaf expiry, and certificate count.
Use Endpoint Ledger for edge drift, Certificate Ledger for served certificate inventory, Trust Paths for chain acceptance, and Fix Queue for the repair order.
Open TLS Edge Risk Map when grade and expiry data are available. Points near the 30-day renewal line, low grade area, or larger issue bubbles deserve the first follow-up.

Interpreting Results:

The headline is conservative. HTTPS posture needs action means critical evidence was found, such as a named vulnerability signal, a missing trusted path, or an expired leaf certificate. HTTPS posture needs review means high-priority work is present, often legacy protocol exposure or a certificate close to expiry. HTTPS posture ready means the returned evidence did not trigger an immediate transport finding under the selected scan mode.

The displayed grade follows the weakest recognized endpoint grade, not the best one and not an average. That prevents one modern edge from hiding another endpoint that still serves an untrusted chain, a lower grade, or an obsolete protocol.

SSL checker result fields and follow-up meaning
Output	Meaning	What to inspect next
Grade spread	The best and worst returned endpoint grades.	Open Endpoint Ledger when the values differ.
Protocol floor	The oldest protocol seen on any endpoint.	Treat SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1 as legacy exposure.
Trust count	How many endpoints returned at least one clearly trusted path.	Use Trust Paths when the count is lower than the endpoint count.
Leaf expiry	The earliest served leaf certificate deadline found in the endpoint set.	Repair expired certificates immediately and plan renewal work when the window is 30 days or less.
Fix Queue	Prioritized rows built from vulnerabilities, trust gaps, legacy protocols, expiry, HSTS, OCSP, and endpoint drift.	Work Critical rows first, then High, then Medium hardening rows.

HSTS and OCSP are not certificate validity checks. HSTS is browser-facing HTTP policy. OCSP stapling is revocation-status evidence sent during the TLS handshake. Missing either one can matter operationally, but those findings should be read alongside certificate chain and protocol evidence instead of treated as a single pass/fail certificate verdict.

A good result is still a point-in-time external assessment. Re-run a fresh scan after fixes, check the specific endpoint that produced a warning, and remember that DNS routing, CDN behavior, queueing, and provider limits can affect which evidence is returned.

Technical Details:

A public TLS assessment combines name resolution, endpoint discovery, certificate path evaluation, protocol negotiation, response-policy observations, and vulnerability checks. The leaf certificate is only one part of the answer. A host can serve a valid leaf certificate and still need repair because an edge offers an obsolete protocol, omits an intermediate certificate, fails trust-path validation, or differs from the rest of the deployment.

The assessment uses SSL Labs evidence for servers reachable on the public Internet. Cached review can reuse a report within the selected age window. Fresh assessment requests current evidence and waits while endpoint, certificate, chain, protocol, HSTS, OCSP, grade, and vulnerability data become ready.

Formula Core:

Certificate renewal risk is driven by the earliest served leaf certificate deadline across the endpoint set. The remaining window is rounded upward to whole days so a certificate expiring later in the current day still shows a small positive window instead of dropping to zero prematurely.

leaf expiry days = ⌈ \frac{not after time - current time}{86,400,000 ms} ⌉

The 30-day renewal line is an operational warning threshold for triage. It is separate from Web PKI maximum validity rules. For publicly trusted TLS subscriber certificates, the CA/Browser Forum schedule sets a 200-day maximum for certificates issued on or after 15 March 2026 and before 15 March 2027, then 100 days from 15 March 2027, and 47 days from 15 March 2029.

Aggregation and Priority Rules:

SSL checker aggregation and fix queue rules
Signal	Host-level rule	Priority effect
Endpoint grade	The weakest recognized endpoint grade becomes the headline grade.	Different grades create an endpoint drift row.
Protocol support	The oldest observed protocol becomes the protocol floor.	SSL or pre-TLS 1.2 exposure is High.
Trust path	Each endpoint needs at least one trusted path in returned evidence.	Missing trust-path coverage is Critical.
Leaf expiry	The earliest endpoint leaf certificate deadline drives renewal risk.	Expired is Critical; 30 days or less is High.
Named vulnerabilities	Heartbleed, FREAK, Logjam, POODLE, Ticketbleed, and Bleichenbacher-style findings are counted when reported.	Any returned named vulnerability signal is Critical.
HSTS and OCSP	Missing HSTS policy or missing OCSP stapling is tracked per endpoint.	Missing coverage creates Medium hardening rows.

Chart Scoring:

TLS Edge Risk Map plots chartable endpoints by leaf expiry days on the horizontal axis and a numeric grade score on the vertical axis. The score is only a chart placement aid; the SSL Labs letter grade remains the user-facing result.

TLS Edge Risk Map grade score mapping
Grade	Chart score	Map meaning
A+ / A / A-	100 / 96 / 92	Upper range for modern endpoint evidence.
B / C / D	84 / 74 / 64	Middle range for degraded but not lowest outcomes.
E / F	54 / 44	Lower range for severe grade outcomes.
T / M	34 / 24	Trust-related or mismatch outcomes that need direct investigation.

Certificate rows classify returned certificates as leaf, intermediate, or root based on their role in the observed chain and whether the subject and issuer match. Trust-path rows remain separate because serving a certificate and building a trusted path to a root store are different facts. Certificate Transparency and Certification Authority Authorization signals can appear in the certificate ledger when returned with the certificate evidence.

Current public HTTPS operations generally center on TLS 1.2 and TLS 1.3. TLS 1.0 and TLS 1.1 are formally deprecated by the IETF, while SSL 2.0 and SSL 3.0 are older obsolete protocol versions. Public server-certificate validity limits are governed by the CA/Browser Forum Baseline Requirements and root program enforcement, while endpoint posture checks focus on what the public host is actually serving now.

Privacy and Accuracy Notes:

This check is not local-only. The public hostname is sent for an SSL Labs assessment, and the result reflects what that external service can observe at the time of the run.

Use public hostnames only. Internal-only services, private DNS names, and sensitive unpublished hosts are outside the useful scope.
Cached evidence can be stale within the selected max-age window. Use Fresh assessment after repair, renewal, or routing work.
DNS behavior, CDN routing, external reachability, provider queueing, and assessment limits can affect completion time and endpoint coverage.
The JSON export can include returned assessment details. Review it before sharing outside the team responsible for the host.
A transport check does not validate application logic, accounts, authorization rules, payment flows, private origins, or private certificate authorities.

Worked Examples:

A CDN policy update missed one edge. The summary shows a grade spread, and Protocol floor reports TLS 1.0. Endpoint Ledger identifies the endpoint still offering the legacy protocol. Update that listener policy and run Fresh assessment to confirm the floor moved back to TLS 1.2 or TLS 1.3.

A certificate renewal reached only part of the fleet. Users see intermittent certificate warnings, and Leaf expiry still shows 30 days or less. Certificate Ledger can show whether old and new leaf certificates are both being served, while Endpoint Ledger points to the edge still serving the old certificate.

A chain deployment created client-specific failures. Some clients connect cleanly while others report trust errors. A trust count below the endpoint count means at least one observed path was not accepted in the returned trust evidence. Use Trust Paths to find the affected chain and deploy the missing intermediate on that edge.

A hardening review found missing browser policy. The chain and grade look acceptable, but Fix Queue lists missing HSTS on several endpoints. Stabilize redirects and certificate renewal first, then publish consistent HSTS policy across the hostname.

FAQ:

Do I enter a URL or just the host?

Enter only the hostname, such as example.com. Schemes, paths, ports, wildcards, and malformed hostnames are rejected because the assessment is host-based.

When should I use Fresh assessment?

Use Fresh assessment after certificate renewal, chain changes, CDN changes, load-balancer changes, listener-policy updates, or any repair where cached evidence could hide the current state.

Can this check an internal service?

No. SSL Labs must be able to assess the host from the public Internet, so private names and internal-only endpoints are outside the checker's useful scope.

Why is the headline grade lower than one endpoint grade?

The headline follows the weakest returned endpoint grade. A production hostname can fail users through the weakest edge they reach, so the summary does not average that edge away.

Why is the TLS Edge Risk Map empty?

The map needs both a recognized grade and a leaf expiry value for chartable endpoints. Some assessment responses do not include enough evidence for chart placement.

Does a clean TLS result prove the site is secure?

No. It means the returned public transport evidence did not trigger an immediate finding. Application behavior, identity, access control, data handling, and private infrastructure still require separate review.

Glossary:

TLS: The modern transport security protocol family used by HTTPS.
SSL: The older protocol name still commonly used for HTTPS certificate and transport checks.
Endpoint: One observed public target serving a hostname, often an IP address behind a CDN or load balancer.
Leaf certificate: The end-entity certificate presented directly for the hostname during the TLS handshake.
Trust path: A certificate path from the served leaf through intermediates toward a trusted root store.
Protocol floor: The oldest SSL or TLS version observed among the returned endpoints.
HSTS: HTTP Strict Transport Security, a browser policy that tells clients to prefer HTTPS for a host.
OCSP stapling: A TLS feature where the server sends certificate revocation-status evidence during the handshake.

References:

SSL Labs API v3 Documentation, Qualys SSL Labs.
RFC 8446: The Transport Layer Security Protocol Version 1.3, IETF.
RFC 8996: Deprecating TLS 1.0 and TLS 1.1, IETF.
NIST SP 800-52 Rev. 2, National Institute of Standards and Technology.
Latest Baseline Requirements for TLS Server Certificates, CA/Browser Forum.
RFC 5280: Internet X.509 Public Key Infrastructure Certificate and CRL Profile, IETF.
RFC 6797: HTTP Strict Transport Security, IETF.
RFC 6066: TLS Extension Definitions, IETF.