Security Tools

SSL/TLS Checker

Inspect TLS certificate details for a hostname.

beginner5 minRuns in your browser

Interactive workspace

Inputs stay on your device — nothing is sent to our servers unless you choose to share.

Client-side only

Connects to the server on the selected port and reads the presented certificate. Hostname only — no path or query string.

Enter a hostname and click Check certificate

Inspect issuer, validity, expiry, SANs, and fingerprints for any public TLS endpoint — useful for reconnaissance and certificate hygiene checks.

Try an example

What this checks

Opens a TLS connection to the host and reads the server certificate — subject, issuer, validity window, SANs, and fingerprints. It does not validate trust chains or test cipher suites.

For production audits, also verify the full chain, OCSP stapling, TLS version, and HSTS. Certificates expiring within 30 days should be renewed promptly.

Documentation

How to use this tool, practical use cases, and technical notes.

The SSL/TLS Checker is designed for speed — most certificate inspections complete in under 10 seconds. Here is a full step-by-step walkthrough including advanced usage tips.

Step 1 — Enter the Hostname

In the "Hostname to check" input field, enter the fully qualified domain name (FQDN) of the server you want to inspect.

Format rules:

Input

Correct?

Notes

example.com

✅ Yes

Standard domain — checks port 443 by default

api.example.com

✅ Yes

Subdomain check — good for verifying SAN coverage

mail.example.com

✅ Yes

Use port 993 or 465 for mail protocols

192.168.1.1

✅ Yes

IP address — checks cert presented on that IP

https://example.com

❌ No

Remove the protocol prefix

example.com/login

❌ No

Remove any path or query string

example.com:8443

❌ No

Set port separately using the port selector

Step 2 — Select the Port

Use the Port dropdown to select the port matching the service you want to inspect. TLS is not used exclusively on port 443 — it secures many different protocols:

Port

Protocol

Service

When to Use

443

HTTPS

Web traffic

Default for all websites — selected automatically

8443

HTTPS (alt)

Web traffic on alternate port

Common for Java app servers, APIs, admin panels

4443

HTTPS (alt)

Web traffic on alternate port

Used by some IoT devices and custom deployments

993

IMAPS

IMAP over TLS

Checking mail server certificates for email clients

465

SMTPS

SMTP over TLS (submission)

Outbound mail server certificate inspection

636

LDAPS

LDAP over TLS

Active Directory / LDAP certificate audits

Custom

Any

Any TLS-wrapped service

Database servers (5432, 3306), gRPC (50051), etc.

Common custom port use cases:

Custom Port

Typical Use

3389

RDP with TLS (Windows Remote Desktop)

5671

AMQP over TLS (RabbitMQ)

5986

WinRM over HTTPS

6443

Kubernetes API server

8883

MQTT over TLS (IoT)

9093

Kafka with TLS

27017

MongoDB with TLS

Step 3 — Click "Check Certificate"

The tool opens a TLS connection to the specified host and port, performs the TLS handshake, and reads the certificate the server presents. The connection is initiated from your browser.

What happens during this step:

  1. Your browser initiates a TCP connection to the hostname on the selected port

  2. A TLS ClientHello is sent, offering supported cipher suites and TLS versions

  3. The server responds with its certificate (and optionally the chain)

  4. The tool reads and parses the certificate's DER/PEM encoding

  5. Certificate fields are extracted and displayed in the output panel

Step 4 — Interpret the Results

The tool returns the following output fields. Here is what to look for in each:

Output Field

Healthy / Expected Value

Warning Signs

Subject CN

Matches the hostname you entered

Mismatch → browser warning; wildcard must cover your subdomain

SANs

Lists all domains this cert covers; your hostname should appear

Hostname not in SAN list → browsers will reject the cert

Issuer

Trusted CA (DigiCert, Let's Encrypt, Sectigo, GlobalSign, etc.)

Unknown CA → likely self-signed or private CA

Valid From

Date in the past

Future date → cert not yet active

Valid Until (Expiry)

At least 30+ days in the future

< 30 days → renew urgently; expired → connection errors

Certificate Validity Period

≤ 398 days (Apple/browser limit since Sept 2020)

> 398 days → may be rejected by modern browsers

SHA-256 Fingerprint

64-character hex string

Compare against known-good value to detect substitution

Signature Algorithm

SHA256withRSA or ECDSA with SHA-256

SHA1withRSA → deprecated; rejected by modern browsers

Step 5 — Use the Example Buttons for Learning

The tool ships with four pre-loaded example targets:

Example

What It Demonstrates

Google

A valid, well-configured certificate from a major CA; example of multi-SAN wildcard cert

GitHub

OV certificate with organizational identity details visible in issuer field

Cloudflare

Certificate issued by Cloudflare's own intermediate CA; example of CDN-issued cert

Bad SSL (expired)

An intentionally expired certificate — perfect for learning what an expired cert looks like

Click any example button to pre-fill the hostname and immediately run a check — no typing required.

Step 6 — Act on What You Find

Finding

Recommended Action

Urgency

Certificate expires in < 30 days

Begin renewal process immediately

🔴 High

Certificate expires in 30–90 days

Schedule renewal; add to monitoring

🟡 Medium

Hostname not in SAN list

Replace certificate with correct SAN coverage

🔴 High

Self-signed certificate on production

Replace with CA-signed certificate

🔴 High

SHA-1 signature algorithm

Replace with SHA-256 signed certificate

🔴 High

RSA key < 2048 bits

Replace with RSA-2048+ or ECDSA P-256

🔴 High

Certificate issued by unknown CA

Verify whether private CA is intentional or sign of attack

🟡 Medium

Validity period > 398 days

Replace at next renewal with compliant cert

🟡 Medium

Fingerprint changed unexpectedly

Investigate immediately — possible MITM or unauthorized reissue

🔴 Critical