Does the request go through your server?

Yes. The browser can't open a raw TLS socket - the TLS handshake happens at our **Node.js backend**, which connects to the target host, retrieves the certificate chain, and returns it as JSON. **We do not log hostnames** and we do not store the certificate. There's a rate limit of **30 checks per hour per IP** to keep the service responsive.

What is a "chain" and why are there 3 certs?

TLS uses a **chain of trust**. The **leaf cert** (your domain) is signed by an **intermediate CA**, which is signed by a **root CA** baked into every operating system. A typical chain is **3 certificates**: leaf → intermediate → root. Some setups have **2 intermediates**. **A single cert** in the chain almost always means **self-signed** (development) or **missing intermediates** (misconfigured server).

"Days remaining" is negative - what now?

The cert **expired**. Every browser, every mail client, every API client will refuse to talk to your server. **Renew immediately**: Let's Encrypt renews with `certbot renew`, paid CAs send you a new cert by email. After renewing, **restart the web server** (`nginx -s reload`, `systemctl reload nginx`) - reloading just the config is usually enough, no full restart needed.

"Hostname doesn't match the certificate" - what does that mean?

The cert is issued for **other names**. Browsers compare the hostname you typed against the cert's **CN** and **SubjectAltName** (SAN) list. Mismatches we see daily: cert for `example.com` only (no `www.`), cert for `*.example.com` only (no apex), cert for the **shared host's** default domain (you deployed without setting up your own cert). The inspector lists the SANs so you can see exactly what the cert covers.

What is a "weak signature"?

A cert signed with **SHA-1** or **MD5**. Browsers stopped trusting SHA-1 certs in **2017** because SHA-1 collisions are now feasible - an attacker can in theory forge a different cert with the same signature. **All modern certs use SHA-256 or better**. Seeing SHA-1 means the issuer is shady or the cert is ancient. Replace it.

What is a "weak key"?

**RSA below 2048 bits** or **ECDSA below 256 bits**. RSA-1024 was deprecated by **NIST in 2013**; modern CAs won't issue anything smaller than RSA-2048 or ECDSA P-256. If you see a weak key in your chain, the cert was generated incorrectly (old `openssl req` default, ancient tooling). **Re-issue with `openssl req -newkey rsa:2048`** or `-newkey ec:secp384r1`.

My chain says "incomplete" but the browser is happy. Why?

Browsers ship with **AIA (Authority Information Access)** fetching - if the server omits an intermediate, the browser downloads it from the URL in the cert's AIA extension. **Mail clients, Java apps, curl, mobile apps** usually do not - they fail immediately. **Fix the server**: add the full chain to your nginx / Apache / Caddy config (concatenate leaf + intermediate(s) into `fullchain.pem`).

Can I check a server on a non-443 port?

Yes. Type the port in the **Port** field, or use **host:port** in the hostname field. Common non-443 TLS ports: **465** (SMTPS), **587** (Submission with STARTTLS - won't work here, the server starts plain and upgrades), **993** (IMAPS), **995** (POP3S), **8443** / **9443** (admin panels). **STARTTLS protocols are not supported** - they require speaking the underlying protocol first.

What does "self-signed" mean?

The cert signed itself instead of being signed by a public CA. **Common in development** (`mkcert`, `openssl req -x509`), in **internal corporate PKI** (your IT department runs its own CA), and in **misconfigured servers** (someone forgot to install the real cert). Self-signed certs are not trusted by browsers - you'll see the "Not Secure" warning unless the user manually adds the cert.

Is my domain visible to anyone?

The hostname goes to our server, then to the target host over the public internet. **We don't log it**. Anyone running a TLS observatory ([crt.sh](https://crt.sh), Censys, Shodan) already sees every cert issued for your domain - the inspector doesn't reveal anything that's not already public.

SSL Certificate Inspector - free

SSL certificate inspector

Type a domain and click Check. We open a real TLS handshake from our server and show you the full certificate chain, validity dates, key strength, signature algorithm and warnings.

Your query goes to our server, which connects to the host and returns its public certificate. We don't log it.

What does the SSL certificate inspector show?

Type a domain (or hostname:port), click Check, and the tool opens a real TLS handshake to that server and reads back its certificate chain. You get the same data your browser sees when you click the padlock, plus a few extras: days until expiry, public key strength, signature algorithm, SHA-1 / SHA-256 fingerprints, SANs, AIA and CRL URLs.

Useful when HTTPS broke ("ERR_CERT_DATE_INVALID", "NET::ERR_CERT_AUTHORITY_INVALID"), when you're about to renew a cert and want to confirm the new one is live, or when you're auditing a freshly deployed service and need proof the chain is complete.

Works on port 443 by default, but also 465 (SMTPS), 993 (IMAPS), 8443 (admin panels), any port speaking TLS.

How to use it

Type a hostname like `example.com` or `mail.google.com`. Skip the https://, that's the protocol, not part of the name.

Need a non-standard port? Type it after a colon: `example.com:8443`, or fill the dedicated Port field.

Click Check. Our server opens a TLS handshake, 1-3 seconds on a typical link.

Read the chain top-down: leaf (your domain) → intermediate (issued by a root) → root CA (DigiCert, Let's Encrypt, etc.). Warnings show in red chips at the top.

When this is useful

Six everyday situations:

HTTPS broke in the browser. The padlock disappeared or you got "NET::ERR_CERT_*". The inspector tells you which check failed: expired, hostname mismatch, missing intermediate, weak signature.
Cert renewal. You just deployed a new Let's Encrypt / DigiCert cert. Verify the chain is complete and the validity window starts now.
Mail server audit. Check SMTPS (465), IMAPS (993), Submission (587) - mail clients are stricter than browsers about chains.
Internal services. admin.yourdomain.com:8443, vpn.yourdomain.com:443, api.yourdomain.com. Confirm none of them is days from expiring.
Vendor / third-party check. Before integrating a partner API, eyeball their cert: trusted issuer, valid SAN, no SHA-1.
Migration. You moved a site to a new host. Confirm the new server presents the right cert (not the old one, not the host's default cert). Also recheck DNS in the DNS lookup and ownership in the WHOIS lookup. For a fresh CSR before reissuing the cert, use the CSR generator.

Questions and answers

Same idea, no terminal. openssl s_client -connect host:443 -showcerts is the gold standard, but the output is dense and you have to parse it yourself. This tool runs the same TLS handshake from our server and pretty-prints the result. Hostname checks, expiry, signature, key strength, SANs, AIA, CRL are all surfaced as ready-to-read chips and rows.

What does the SSL certificate inspector show?

Works on port 443 by default, but also 465 (SMTPS), 993 (IMAPS), 8443 (admin panels), any port speaking TLS.

How to use it

Type a hostname like `example.com` or `mail.google.com`. Skip the https://, that's the protocol, not part of the name.

Need a non-standard port? Type it after a colon: `example.com:8443`, or fill the dedicated Port field.

Click Check. Our server opens a TLS handshake, 1-3 seconds on a typical link.

Read the chain top-down: leaf (your domain) → intermediate (issued by a root) → root CA (DigiCert, Let's Encrypt, etc.). Warnings show in red chips at the top.

When this is useful

Six everyday situations:

HTTPS broke in the browser. The padlock disappeared or you got "NET::ERR_CERT_*". The inspector tells you which check failed: expired, hostname mismatch, missing intermediate, weak signature.
Cert renewal. You just deployed a new Let's Encrypt / DigiCert cert. Verify the chain is complete and the validity window starts now.
Mail server audit. Check SMTPS (465), IMAPS (993), Submission (587) - mail clients are stricter than browsers about chains.
Internal services. admin.yourdomain.com:8443, vpn.yourdomain.com:443, api.yourdomain.com. Confirm none of them is days from expiring.
Vendor / third-party check. Before integrating a partner API, eyeball their cert: trusted issuer, valid SAN, no SHA-1.
Migration. You moved a site to a new host. Confirm the new server presents the right cert (not the old one, not the host's default cert). Also recheck DNS in the DNS lookup and ownership in the WHOIS lookup. For a fresh CSR before reissuing the cert, use the CSR generator.

Questions and answers

SSL Certificate Inspector

What does the SSL certificate inspector show?

How to use it

When this is useful

Questions and answers

Related tools

JWT decoder

Password Hashes: MD5, SHA, bcrypt

TOTP 2FA Secret Generator

SSL Certificate Inspector

What does the SSL certificate inspector show?

How to use it

When this is useful

Questions and answers

Related tools

JWT decoder

Password Hashes: MD5, SHA, bcrypt

TOTP 2FA Secret Generator