DevToolKit

SSL Certificate Checker

Check SSL/TLS certificate details, security headers, and CAA records for any domain. View certificate issuer, expiration, HSTS status, and security grade from A+ to F.

Enter a domain name to check its SSL/TLS security
Was this tool helpful?

How to Use

Check SSL/TLS security for any domain:

  1. Enter a domain name — Type any domain (e.g., example.com) or click a quick-try button. The tool automatically strips protocols and paths.
  2. View the security grade — An A+ to F grade is calculated from four factors: TLS connectivity (20 points), valid certificate (20 points), security headers (up to 60 points), and CAA records (10 points). The grade provides a quick overview of the domain's security posture.
  3. Inspect details — Certificate info shows the issuer, subject, validity dates, and Subject Alternative Names. Security headers are individually checked with pass/fail indicators. CAA records show which Certificate Authorities are authorized to issue certificates.

About This Tool

SSL/TLS Certificate Overview

SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security) encrypt communication between browsers and web servers. Every HTTPS website has a digital certificate issued by a trusted Certificate Authority (CA) that proves the server's identity. Certificates contain the domain name, issuer, validity period, and public key used for encryption.

This tool checks certificate details from Certificate Transparency (CT) logs — a public, append-only ledger of all certificates issued by trusted CAs. CT was mandated by Google Chrome in 2018 to detect misissued or fraudulent certificates. The tool queries CT logs via crt.sh, operated by Sectigo.

Security Headers

HTTP security headers instruct browsers to enable security features. HSTS (HTTP Strict Transport Security) tells browsers to always use HTTPS, preventing protocol downgrade attacks. Content-Security-Policy restricts which resources can load, mitigating cross-site scripting (XSS). X-Content-Type-Options: nosniff prevents browsers from guessing MIME types. X-Frame-Options blocks clickjacking by controlling iframe embedding. For detailed header analysis, see HTTP Headers Analyzer.

CAA DNS Records

CAA (Certificate Authority Authorization) is a DNS record type that specifies which CAs are allowed to issue certificates for a domain. Without CAA records, any CA can issue a certificate for your domain. Adding CAA records reduces the risk of unauthorized certificate issuance. For example, 0 issue "letsencrypt.org" allows only Let's Encrypt to issue certificates.

Scoring Methodology

The security grade is a weighted composite: TLS connectivity (20%), valid certificate (20%), HSTS (15%), CSP (15%), X-Content-Type-Options (10%), X-Frame-Options (10%), Referrer-Policy (5%), Permissions-Policy (5%). Expired certificates incur a 30-point penalty. CAA records add 10 bonus points. Related tools include DNS Lookup and WHOIS Lookup.

Why Use This Tool

Certificate Monitoring

Expired SSL certificates are one of the most common causes of website outages. Major services including Microsoft Teams, Spotify, and government websites have experienced downtime due to forgotten certificate renewals. This tool helps you monitor certificate expiration dates and set up renewal reminders before they lapse.

Common Use Cases

  • Certificate expiry monitoring: Check when certificates expire and set calendar reminders. The color-coded countdown badge highlights certificates expiring within 30 or 90 days.
  • Security audit: Verify that your website implements all recommended security headers. Missing HSTS or CSP headers are common vulnerabilities that this tool identifies.
  • Vendor assessment: Check the security posture of third-party services and APIs you integrate with. A low grade may indicate security risk.
  • Certificate transparency review: See how many certificates have been issued for a domain. Unexpected certificates could indicate unauthorized access to your domain's DNS.

Privacy

The tool queries publicly available data: Certificate Transparency logs (via crt.sh), DNS CAA records (via Cloudflare DoH), and HTTP response headers. Our Worker proxy does not log queries. Related security tools include Bcrypt Hash, RSA Key Generator, What Is My IP, and DNS Lookup.

FAQ

What does this tool check?
Four areas: TLS connectivity (can the domain establish a secure connection), certificate details from Certificate Transparency logs (issuer, expiry, subject), security headers (HSTS, CSP, X-Frame-Options), and DNS CAA records (which CAs are authorized to issue certificates).
How is the security grade calculated?
The grade is based on a weighted scoring system: TLS connectivity (+20), valid certificate (+20), HSTS header (+15), Content-Security-Policy (+15), X-Content-Type-Options (+10), X-Frame-Options (+10), CAA records (+10). Grades range from A+ (90+) to F (below 30).
Where does the certificate data come from?
Certificate details come from Certificate Transparency (CT) logs via crt.sh, a public service run by Sectigo. CT logs contain all publicly-trusted certificates issued by Certificate Authorities, making them an authoritative source for certificate metadata.
Is my query logged?
Our proxy does not log queries. The tool queries crt.sh (public CT logs) and Cloudflare DNS (1.1.1.1) for CAA records. These services have their own privacy policies.
NavigateOpenEscClose