Free Developer Tool

SSL Inspector

Verify the security chain and validity status of any domain certificate. Enter a hostname to analyze remaining expiration days, active issuer details, and encryption algorithm strength.

Verify subdomains by entering their explicit hostname (e.g. api.domain.com).

Certificate Expiry Best Practices

Renew early: Most standard SSL issuers recommend renewing certificates 30 days before expiration to avoid browser warnings.

Chain verification: If a certificate is valid on your machine but throws errors elsewhere, verify that intermediate certificate files are properly appended to your web server configurations.

Enter a domain hostname on the left to inspect its SSL/TLS certificate details.

Comprehensive Guide to SSL/TLS Certificates and Chain Verification

Secure Sockets Layer (SSL) and its modern successor, Transport Layer Security (TLS), are cryptographic protocols designed to provide communications security over a computer network. When a browser accesses a website via https://, the server presents a public key certificate to verify its identity and establish an encrypted session channel. This protects data payloads from man-in-the-middle (MITM) snooping and injection attacks.

An SSL checker allows developers and network administrators to inspect certificate parameters in real-time. By initiating a secure handshake on port 443, the inspector extracts validation properties, cipher parameters, signature verification tags, and expiration timelines. This check is crucial to ensure your server configuration meets modern security guidelines and prevents user-facing browser security warnings.

Understanding Key Certificate Attributes

When inspecting an SSL/TLS cert, several structural fields dictate whether a browser will trust the connection:

  • Common Name (CN) & Subject Alternative Names (SAN): The Common Name identifies the primary host domain name secured by the certificate. Subject Alternative Names allow a single certificate to protect multiple domains or subdomains (such as wildcard certificates).
  • Issuer (Certificate Authority): The entity responsible for validating the organization and signing the certificate (e.g., Let's Encrypt, DigiCert, Sectigo). Browsers trust certificates issued by authorities registered in their local root program store.
  • Validity Range (Not Before & Not After): The exact calendar dates between which the certificate is considered valid. Modern certificates issued by commercial CAs have a maximum validity duration of 398 days (approximately 13 months).
  • Key Size and Signature Strength: The length of the public key (typically 2048-bit or 4096-bit for RSA, or 256-bit for ECC) and the hashing algorithm used to sign the certificate (such as SHA-256).

Common Causes of Web SSL Failures and Handshake Outages

When a browser encounters a faulty certificate configuration, it displays prominent security warnings that block traffic. Common failures include:

Expired Validity Lifespans

Occurs when automated cron renewal scripts fail (e.g. Let's Encrypt renewal errors). Browsers block all client traffic with an SEC_ERROR_EXPIRED_CERTIFICATE warning.

Hostname Mismatch Failures

Triggers when the certificate Common Name does not match the exact hostname requested by the client browser (e.g. mapping a dev cert to a production domain name).

Frequently Asked Questions

Everything you need to know about SSL/TLS certificates and connection parameters.

How does the SSL inspector fetch host certificates?

Our SSL checker calls a secure backend API endpoint that executes a standard client TLS socket handshake on port 443 with the target host, retrieving the public peer certificate chain properties securely.

Why does the inspector warn that a certificate has expired?

An expired warning indicates that the current calendar date is outside the start and end validation timestamps issued by the Certificate Authority, rendering the certificate untrusted by web browsers.

What causes a name mismatch error on an SSL certificate?

This triggers if the hostname entered does not match any values listed in the certificate's Common Name (CN) or Subject Alternative Name (SAN) fields.

How often should SSL certificate parameters be inspected?

It is best practice to monitor certificate parameters continuously. We recommend daily automated validation checks to flag upcoming expiration dates at least 14 days in advance.

Automate SSL & Certificate Expiry Alerts

Avoid user-facing browser warnings by receiving alerts 14 days before your domains expire. Monitor all endpoints from a single dashboard.