LIVE NEWSROOM · --:-- · May 15, 2026
A LIBRARY FOR SECURITY RESEARCHERS

TOOLS  /  SSL / TLS

SSL / TLS Certificate Inspector

Connect to any host over TLS and inspect its certificate chain — subject, issuer, validity, signature algorithm, SAN list, days-to-expiry.

    What it does

    TLS certificates secure every HTTPS connection. When something breaks — Heartbleed-era vulnerability surface, expired certs, weak signature algorithms, or misconfigured chains — your users see browser warnings or your service fails entirely. Our inspector performs a real TLS handshake to the host you specify, captures the server’s certificate plus chain, and decodes everything: subject and issuer CN, SHA-1 vs SHA-256 signing, validity window, days-to-expiry, and the full Subject Alternative Name list.

    How to use it

    1. Enter a host (e.g. example.com) or host:port (e.g. example.com:8443).
    2. Click "Inspect cert".
    3. Read the validity panel — green = valid, yellow = expires soon, red = already expired.
    4. Review the SAN list to confirm the cert covers all the hostnames you serve.
    5. Check the issuer — Let’s Encrypt, DigiCert, Sectigo are all reputable; an unfamiliar issuer warrants investigation.

    Common use cases

    Pre-renewal expiry check Set a reminder to run this 30 days before your cert’s renewal date — catch any chain issues before they cause outages.
    SAN coverage audit After issuing a new cert, verify it covers every subdomain you intended (no gaps for *.staging.example.com).
    Vendor security review When evaluating a vendor portal, check their cert is recent, properly chained, and signed with SHA-256+.
    Incident response — typosquat domain When investigating a phishing domain, check its cert — Let’s Encrypt issuance + age = pattern for attacker setup.

    Frequently asked questions

    Why does it say "days_left: -5"? +
    Negative days_left = expired. You need to renew immediately. Modern browsers will refuse to load the site.
    What does "expires_soon" mean? +
    30 days or less remaining. Most renewal automation (certbot, acme.sh) handles renewal at 30-day threshold; if your cert is in this state without a renewal job running, intervene.
    Why is my chain only 2 certs deep? +
    The leaf + one intermediate is standard. The root is in browser trust stores; it doesn’t need to be sent.
    SHA-1 vs SHA-256? +
    SHA-1 is deprecated for SSL certs (browsers reject since 2017). All modern certs should use SHA-256 or SHA-384.
    Can I check a self-signed cert? +
    Yes. The check connects and parses regardless of trust validation — the report shows whether the cert is self-signed via its issuer == subject relationship.

    Related tools

    Related coverage on Ciphers Security

    Free for everyone, no signup required. Tool runs at /tools/ssl-checker/ — bookmark or share.

    Scroll to Top