SSL Certificate Checker

Error: Unable to complete check. Please try again.

You can paste a full URL — the tool strips https:// and any path automatically.

Connecting to and retrieving certificate…

Host Checked

—

⌨ Raw API Response

🔮 Run Full Scan

Probe cipher suites and run nine vulnerability checks — POODLE, BEAST, CRIME, Heartbleed, DROWN, LOGJAM, ROBOT, TICKETBLEED, and RC4.
Takes approximately 30–60 seconds.

Initializing full scan…

🔮 Full Scan Results

How to Use the SSL Certificate Checker

Enter a Domain Name

Type any domain name (e.g. example.com or www.example.com) into the input field. You can also paste a full URL — the tool strips https:// and any path automatically. Internal hostnames and IP addresses are not supported — only public domains reachable on port 443.

Click Check SSL for an Instant Result

The Fast Check completes a live TLS handshake with the server on port 443 and returns a full certificate analysis in 2–3 seconds. You get a security grade from A to F, expiry date with urgency badge, issuer details, TLS version, key type and size, all Subject Alternative Names, certificate chain depth, SHA-256 fingerprint, and OCSP URL.

Review the Security Grade and Certificate Details

The grade badge gives you an at-a-glance summary. Grade A is excellent — TLS 1.3, strong key, valid chain, more than 90 days remaining. Grade B is good. Grade C needs attention. Grade F means something is broken and needs immediate action. All certificate details are shown in organized cards below the grade.

Optionally Run a Full Scan for Deep Analysis

Click the Run Full Scan button after your Fast Check results appear. The full scan probes cipher suite support and runs nine vulnerability checks including POODLE, BEAST, CRIME, Heartbleed, DROWN, LOGJAM, ROBOT, TICKETBLEED, and RC4. Results are appended below your certificate data. This scan takes 30–60 seconds.

Frequently Asked Questions

What does the SSL security grade mean?

The security grade summarizes the overall health of an SSL configuration in a single letter. Grade A means TLS 1.3, strong key (RSA 2048-bit or ECC 256-bit minimum), valid SHA-256 signature, complete chain, matching domain, and more than 90 days until expiry. Grade B means TLS 1.2 or expiring within 30–90 days. Grade C means expiring within 30 days, weak key, or deprecated signature. Grade F means expired, broken chain, domain mismatch, or connection failure.

What is a certificate chain and why does it matter?

The certificate chain links your certificate to a trusted Root CA. Your server must send the full chain including all intermediates. The most common SSL misconfiguration is a missing intermediate — desktop browsers cache it, but fresh mobile clients and API callers fail with an untrusted certificate error.

What is the difference between TLS 1.2 and TLS 1.3?

TLS 1.3 reduces the handshake from two round trips to one, removes all weak cipher suites, and adds 0-RTT resumption. TLS 1.2 is still secure when configured correctly with strong cipher suites and no legacy fallback. TLS 1.0 and TLS 1.1 are deprecated and should be disabled — our Full Scan tests for both.

What are Subject Alternative Names (SANs)?

SANs are the complete list of domain names a certificate is valid for. A wildcard (*.example.com) covers all direct subdomains. A multi-domain SAN certificate can cover completely different domain names on a single certificate.

What does the Full Scan check?

The Full Scan adds cipher suite enumeration and nine vulnerability probes: POODLE (SSL 3.0 padding oracle), BEAST (TLS 1.0 CBC exploit), CRIME (TLS compression exploit), Heartbleed (OpenSSL memory disclosure), DROWN (SSLv2 attack), LOGJAM (weak DH downgrade), ROBOT (RSA padding oracle), TICKETBLEED (F5 session ticket leak), and RC4 (weak stream cipher). Takes 30–60 seconds.

Why does my site show Grade B instead of Grade A?

Most common reasons: the server negotiates TLS 1.2 instead of TLS 1.3, or the certificate expires within 30–90 days. For Grade A, ensure TLS 1.3 is enabled and preferred, key is RSA 2048-bit or ECC 256-bit or stronger, signature is SHA-256 or better, chain is complete, and more than 90 days remain until renewal.

What is OCSP?

OCSP (Online Certificate Status Protocol) checks whether a certificate has been revoked before its expiry. The OCSP URL shown in results is where browsers query the CA to confirm the certificate is still valid. OCSP Stapling allows the server to include a pre-signed OCSP response in the TLS handshake, avoiding a separate browser request.

SSL & TLS Terms Glossary

Not sure what a certificate field means? These definitions explain every piece of data this tool returns.

Certificate Fields

Common Name (CN)

Primary Domain

The primary domain the certificate was issued for. Modern browsers validate SANs, not CN. A wildcard CN (*.example.com) covers all direct subdomains.

Subject Alternative Names

SANs

The complete list of domains this certificate covers. One certificate can protect dozens of domains via SANs.

Certificate Authority

Issuer / CA

The organization that issued and signed the certificate — e.g. Let’s Encrypt, DigiCert, Sectigo. Browsers trust only CAs in their built-in trust store.

Key Type & Size

Public Key

The algorithm and length of the public key. RSA 2048-bit and ECC 256-bit are current minimums. ECC offers equivalent security at smaller key size, resulting in faster handshakes.

Signature Algorithm

Hash Algorithm

The hashing algorithm the CA used to sign the certificate. SHA-256 is current standard. MD5 and SHA-1 are deprecated and insecure.

SHA-256 Fingerprint

Certificate Hash

A unique cryptographic hash of the entire certificate. Used to verify a specific certificate is installed versus a different one with the same domain.

TLS & Protocol Terms

TLS 1.3

Current Standard

The current TLS standard (2018). 1-round-trip handshake, forward secrecy by default, no weak ciphers, 0-RTT resumption.

TLS 1.2

Still Acceptable

Secure when configured correctly with strong cipher suites. A server supporting only TLS 1.2 receives Grade B rather than A.

TLS 1.0 / 1.1

Deprecated

Deprecated by all major browsers since 2020. Vulnerable to BEAST and POODLE. Should be disabled on all servers immediately.

Cipher Suite

Encryption Algorithm

The combination of algorithms negotiated for a TLS connection. Strong suites use ECDHE + AES-GCM or ChaCha20. Weak suites use RC4, DES, 3DES, or NULL.

OCSP

Revocation Check

Online Certificate Status Protocol. Verifies a certificate has not been revoked. OCSP Stapling embeds the check in the TLS handshake to eliminate a separate browser request.

Certificate Chain

Trust Path

The sequence from your leaf certificate to a trusted Root CA. Missing intermediates cause failures on fresh clients even when desktop browsers appear fine.

How to Use the SSL Certificate Checker

Frequently Asked Questions

SSL & TLS Terms Glossary

Related IT Tools