PublicDNS Tools

SSL Certificate Checker

Understanding HTTPS, TLS encryption and certificate trust.

What this tool does

The SSL Checker connects to a server and inspects the TLS certificate presented during the secure handshake. It allows you to verify whether a website is properly configured for HTTPS.

  • Connects to hostname:443 over TLS
  • Reads the server (leaf) certificate
  • Shows certificate expiration date
  • Fetches and parses the certificate chain
  • Displays negotiated TLS protocol and cipher
  • Displays Subject Alternative Names (SAN)
  • Shows SHA-256 certificate fingerprint

What is HTTPS?

HTTPS is HTTP over TLS encryption. It ensures that traffic between the visitor and the server cannot be read or modified by third parties such as attackers, compromised routers, Wi-Fi hotspots or ISPs.

Without HTTPS, everything transferred can be intercepted:

  • Passwords
  • Cookies and login sessions
  • Personal data
  • Payment information

TLS provides three critical security properties:

  • Encryption — nobody can read the data
  • Integrity — data cannot be modified in transit
  • Authentication — you are really connected to the correct server

SSL vs TLS

The term “SSL certificate” is historically incorrect. Modern secure connections use TLS (Transport Layer Security). SSL (Secure Sockets Layer) is an older protocol that has been fully deprecated.

Timeline of protocols:

  • SSL 2.0 — insecure
  • SSL 3.0 — broken (POODLE attack)
  • TLS 1.0 — deprecated
  • TLS 1.1 — deprecated
  • TLS 1.2 — widely used
  • TLS 1.3 — current and recommended

When browsers display a lock icon, they are using TLS, not SSL.

How a TLS Handshake Works

When a browser opens https://example.com, the following happens:

  1. The client connects to the server on port 443
  2. The client announces supported TLS versions and ciphers
  3. The server sends its certificate
  4. The client validates the certificate chain
  5. A shared encryption key is negotiated
  6. Encrypted communication begins

The SSL Checker shows which TLS version and cipher were selected during this process.

The Server Certificate

The certificate is a digitally signed identity document for the server. It proves that the server belongs to a specific domain.

A certificate contains:

  • Common Name (domain)
  • Public key
  • Validity period
  • Issuer (Certificate Authority)
  • Digital signature

Subject Alternative Name (SAN)

Modern certificates do not rely on the Common Name anymore. Instead, browsers validate the SAN extension, which lists all valid hostnames. 


```

example.com
[www.example.com](http://www.example.com)
api.example.com
```

If the hostname you visit is not listed in SAN, browsers will show a certificate mismatch error.

Certificate Chain (Chain of Trust)

Your server certificate is not trusted directly. Trust is inherited from a hierarchy of certificates. 


```

Root CA (trusted by operating system / browser)
↓
Intermediate CA
↓
Server Certificate (your website)
```

Why intermediates exist

Root certificates are extremely sensitive and rarely used. Certificate Authorities issue intermediate certificates which then sign your server certificate.

The browser verifies each signature step-by-step until it reaches a trusted root stored inside the operating system.

If the intermediate certificate is missing, browsers will show: “certificate not trusted” even though the certificate itself is valid.

Expiration Date

Certificates have a strict validity period. After the expiration date, browsers will block the site completely.

This is one of the most common causes of website outages.

Modern certificates typically last 90 days (e.g. Let's Encrypt), which is why automatic renewal is critical.

Cipher Suites

A cipher suite defines how encryption is performed. It determines:

  • Key exchange method
  • Authentication algorithm
  • Encryption algorithm
  • Message authentication

Example: 


```

TLS_AES_128_GCM_SHA256
```

Modern servers should prefer forward secrecy ciphers (ECDHE) and avoid outdated algorithms such as RC4, 3DES or MD5.

Fingerprint

The SHA-256 fingerprint is a unique hash of the certificate. It can be used to verify that a certificate has not been replaced during a man-in-the-middle attack.

Typical Use Cases

  • Check when a certificate will expire
  • Verify which Certificate Authority issued it
  • Confirm hostname and SAN configuration
  • Troubleshoot browser trust errors
  • Verify TLS version and cipher

Limitations

This tool provides a quick inspection of the TLS configuration. It does not replace a full security audit or vulnerability scanner.

The following checks are outside the scope:

  • OCSP stapling validation
  • CRL revocation checks
  • HSTS policy analysis
  • TLS downgrade resistance
  • Web application vulnerabilities