Documentation
How to use this tool, practical use cases, and technical notes.
The SSL/TLS Checker is designed for speed — most certificate inspections complete in under 10 seconds. Here is a full step-by-step walkthrough including advanced usage tips.
Step 1 — Enter the Hostname
In the "Hostname to check" input field, enter the fully qualified domain name (FQDN) of the server you want to inspect.
Format rules:
Input | Correct? | Notes |
|---|---|---|
| ✅ Yes | Standard domain — checks port 443 by default |
| ✅ Yes | Subdomain check — good for verifying SAN coverage |
| ✅ Yes | Use port 993 or 465 for mail protocols |
| ✅ Yes | IP address — checks cert presented on that IP |
| ❌ No | Remove the protocol prefix |
| ❌ No | Remove any path or query string |
| ❌ No | Set port separately using the port selector |
Step 2 — Select the Port
Use the Port dropdown to select the port matching the service you want to inspect. TLS is not used exclusively on port 443 — it secures many different protocols:
Port | Protocol | Service | When to Use |
|---|---|---|---|
443 | HTTPS | Web traffic | Default for all websites — selected automatically |
8443 | HTTPS (alt) | Web traffic on alternate port | Common for Java app servers, APIs, admin panels |
4443 | HTTPS (alt) | Web traffic on alternate port | Used by some IoT devices and custom deployments |
993 | IMAPS | IMAP over TLS | Checking mail server certificates for email clients |
465 | SMTPS | SMTP over TLS (submission) | Outbound mail server certificate inspection |
636 | LDAPS | LDAP over TLS | Active Directory / LDAP certificate audits |
Custom | Any | Any TLS-wrapped service | Database servers (5432, 3306), gRPC (50051), etc. |
Common custom port use cases:
Custom Port | Typical Use |
|---|---|
3389 | RDP with TLS (Windows Remote Desktop) |
5671 | AMQP over TLS (RabbitMQ) |
5986 | WinRM over HTTPS |
6443 | Kubernetes API server |
8883 | MQTT over TLS (IoT) |
9093 | Kafka with TLS |
27017 | MongoDB with TLS |
Step 3 — Click "Check Certificate"
The tool opens a TLS connection to the specified host and port, performs the TLS handshake, and reads the certificate the server presents. The connection is initiated from your browser.
What happens during this step:
Your browser initiates a TCP connection to the hostname on the selected port
A TLS ClientHello is sent, offering supported cipher suites and TLS versions
The server responds with its certificate (and optionally the chain)
The tool reads and parses the certificate's DER/PEM encoding
Certificate fields are extracted and displayed in the output panel
Step 4 — Interpret the Results
The tool returns the following output fields. Here is what to look for in each:
Output Field | Healthy / Expected Value | Warning Signs |
|---|---|---|
Subject CN | Matches the hostname you entered | Mismatch → browser warning; wildcard must cover your subdomain |
SANs | Lists all domains this cert covers; your hostname should appear | Hostname not in SAN list → browsers will reject the cert |
Issuer | Trusted CA (DigiCert, Let's Encrypt, Sectigo, GlobalSign, etc.) | Unknown CA → likely self-signed or private CA |
Valid From | Date in the past | Future date → cert not yet active |
Valid Until (Expiry) | At least 30+ days in the future | < 30 days → renew urgently; expired → connection errors |
Certificate Validity Period | ≤ 398 days (Apple/browser limit since Sept 2020) | > 398 days → may be rejected by modern browsers |
SHA-256 Fingerprint | 64-character hex string | Compare against known-good value to detect substitution |
Signature Algorithm | SHA256withRSA or ECDSA with SHA-256 | SHA1withRSA → deprecated; rejected by modern browsers |
Step 5 — Use the Example Buttons for Learning
The tool ships with four pre-loaded example targets:
Example | What It Demonstrates |
|---|---|
A valid, well-configured certificate from a major CA; example of multi-SAN wildcard cert | |
GitHub | OV certificate with organizational identity details visible in issuer field |
Cloudflare | Certificate issued by Cloudflare's own intermediate CA; example of CDN-issued cert |
Bad SSL (expired) | An intentionally expired certificate — perfect for learning what an expired cert looks like |
Click any example button to pre-fill the hostname and immediately run a check — no typing required.
Step 6 — Act on What You Find
Finding | Recommended Action | Urgency |
|---|---|---|
Certificate expires in < 30 days | Begin renewal process immediately | 🔴 High |
Certificate expires in 30–90 days | Schedule renewal; add to monitoring | 🟡 Medium |
Hostname not in SAN list | Replace certificate with correct SAN coverage | 🔴 High |
Self-signed certificate on production | Replace with CA-signed certificate | 🔴 High |
SHA-1 signature algorithm | Replace with SHA-256 signed certificate | 🔴 High |
RSA key < 2048 bits | Replace with RSA-2048+ or ECDSA P-256 | 🔴 High |
Certificate issued by unknown CA | Verify whether private CA is intentional or sign of attack | 🟡 Medium |
Validity period > 398 days | Replace at next renewal with compliant cert | 🟡 Medium |
Fingerprint changed unexpectedly | Investigate immediately — possible MITM or unauthorized reissue | 🔴 Critical |
The SSL/TLS Checker is designed for speed — most certificate inspections complete in under 10 seconds. Here is a full step-by-step walkthrough including advanced usage tips.
Step 1 — Enter the Hostname
In the "Hostname to check" input field, enter the fully qualified domain name (FQDN) of the server you want to inspect.
Format rules:
Input | Correct? | Notes |
|---|---|---|
| ✅ Yes | Standard domain — checks port 443 by default |
| ✅ Yes | Subdomain check — good for verifying SAN coverage |
| ✅ Yes | Use port 993 or 465 for mail protocols |
| ✅ Yes | IP address — checks cert presented on that IP |
| ❌ No | Remove the protocol prefix |
| ❌ No | Remove any path or query string |
| ❌ No | Set port separately using the port selector |
Step 2 — Select the Port
Use the Port dropdown to select the port matching the service you want to inspect. TLS is not used exclusively on port 443 — it secures many different protocols:
Port | Protocol | Service | When to Use |
|---|---|---|---|
443 | HTTPS | Web traffic | Default for all websites — selected automatically |
8443 | HTTPS (alt) | Web traffic on alternate port | Common for Java app servers, APIs, admin panels |
4443 | HTTPS (alt) | Web traffic on alternate port | Used by some IoT devices and custom deployments |
993 | IMAPS | IMAP over TLS | Checking mail server certificates for email clients |
465 | SMTPS | SMTP over TLS (submission) | Outbound mail server certificate inspection |
636 | LDAPS | LDAP over TLS | Active Directory / LDAP certificate audits |
Custom | Any | Any TLS-wrapped service | Database servers (5432, 3306), gRPC (50051), etc. |
Common custom port use cases:
Custom Port | Typical Use |
|---|---|
3389 | RDP with TLS (Windows Remote Desktop) |
5671 | AMQP over TLS (RabbitMQ) |
5986 | WinRM over HTTPS |
6443 | Kubernetes API server |
8883 | MQTT over TLS (IoT) |
9093 | Kafka with TLS |
27017 | MongoDB with TLS |
Step 3 — Click "Check Certificate"
The tool opens a TLS connection to the specified host and port, performs the TLS handshake, and reads the certificate the server presents. The connection is initiated from your browser.
What happens during this step:
Your browser initiates a TCP connection to the hostname on the selected port
A TLS ClientHello is sent, offering supported cipher suites and TLS versions
The server responds with its certificate (and optionally the chain)
The tool reads and parses the certificate's DER/PEM encoding
Certificate fields are extracted and displayed in the output panel
Step 4 — Interpret the Results
The tool returns the following output fields. Here is what to look for in each:
Output Field | Healthy / Expected Value | Warning Signs |
|---|---|---|
Subject CN | Matches the hostname you entered | Mismatch → browser warning; wildcard must cover your subdomain |
SANs | Lists all domains this cert covers; your hostname should appear | Hostname not in SAN list → browsers will reject the cert |
Issuer | Trusted CA (DigiCert, Let's Encrypt, Sectigo, GlobalSign, etc.) | Unknown CA → likely self-signed or private CA |
Valid From | Date in the past | Future date → cert not yet active |
Valid Until (Expiry) | At least 30+ days in the future | < 30 days → renew urgently; expired → connection errors |
Certificate Validity Period | ≤ 398 days (Apple/browser limit since Sept 2020) | > 398 days → may be rejected by modern browsers |
SHA-256 Fingerprint | 64-character hex string | Compare against known-good value to detect substitution |
Signature Algorithm | SHA256withRSA or ECDSA with SHA-256 | SHA1withRSA → deprecated; rejected by modern browsers |
Step 5 — Use the Example Buttons for Learning
The tool ships with four pre-loaded example targets:
Example | What It Demonstrates |
|---|---|
A valid, well-configured certificate from a major CA; example of multi-SAN wildcard cert | |
GitHub | OV certificate with organizational identity details visible in issuer field |
Cloudflare | Certificate issued by Cloudflare's own intermediate CA; example of CDN-issued cert |
Bad SSL (expired) | An intentionally expired certificate — perfect for learning what an expired cert looks like |
Click any example button to pre-fill the hostname and immediately run a check — no typing required.
Step 6 — Act on What You Find
Finding | Recommended Action | Urgency |
|---|---|---|
Certificate expires in < 30 days | Begin renewal process immediately | 🔴 High |
Certificate expires in 30–90 days | Schedule renewal; add to monitoring | 🟡 Medium |
Hostname not in SAN list | Replace certificate with correct SAN coverage | 🔴 High |
Self-signed certificate on production | Replace with CA-signed certificate | 🔴 High |
SHA-1 signature algorithm | Replace with SHA-256 signed certificate | 🔴 High |
RSA key < 2048 bits | Replace with RSA-2048+ or ECDSA P-256 | 🔴 High |
Certificate issued by unknown CA | Verify whether private CA is intentional or sign of attack | 🟡 Medium |
Validity period > 398 days | Replace at next renewal with compliant cert | 🟡 Medium |
Fingerprint changed unexpectedly | Investigate immediately — possible MITM or unauthorized reissue | 🔴 Critical |