Skip to content

SSL Certificate Checker

Generate the openssl command to inspect SSL certificates, parse certificate output to see issuer, validity, SANs, key info, and review SSL best practices.

FreeNo SignupNo Server UploadsZero Tracking

Step 1: Enter Domain

Step 3: Paste Certificate Output

SSL/TLS Best Practices

Use TLS 1.2 or 1.3

Disable older protocols (TLS 1.0, 1.1, SSLv3). TLS 1.3 is preferred for its improved security and performance.

Use strong cipher suites

Prefer AEAD ciphers (AES-GCM, ChaCha20-Poly1305). Disable CBC mode ciphers and RC4.

Enable HSTS

Set the Strict-Transport-Security header to force HTTPS connections. Include subdomains and use a long max-age.

Use a 2048-bit+ RSA key or ECDSA

RSA keys should be at least 2048 bits. ECDSA with P-256 or P-384 provides equivalent security with better performance.

Include all SANs

Ensure your certificate covers all domains and subdomains, including www and non-www variants.

Set up auto-renewal

Use Let's Encrypt or your CA's auto-renewal to prevent certificate expiration.

Enable OCSP Stapling

OCSP stapling improves performance and privacy by delivering certificate status with the TLS handshake.

Use Certificate Transparency

Ensure your certificates are logged in CT logs. Most modern CAs do this by default.

How to Use SSL Certificate Checker

  1. 1

    Enter the domain

    Type the domain name you want to check (e.g., example.com).

  2. 2

    Run the command

    Copy the generated openssl command and run it in your terminal.

  3. 3

    Paste and parse

    Paste the command output into the text area and click Parse Certificate to see the analysis.

Frequently Asked Questions

Browsers enforce CORS restrictions that prevent JavaScript from making raw TLS connections. The openssl command approach lets you check any certificate from your terminal.

It extracts the issuer, subject, validity dates, Subject Alternative Names (SANs), key algorithm, key size, serial number, and signature algorithm.

SANs are additional domain names or IP addresses covered by the certificate. Modern browsers use SANs instead of the Common Name to validate certificates.

Use TLS 1.2+ with strong cipher suites, a 2048-bit+ RSA key or ECDSA, HSTS headers, and ensure your certificate has not expired. See our best practices guide below the tool.

OpenSSL is pre-installed on macOS and most Linux distributions. Windows users can install it via WSL, Git Bash, or download the OpenSSL binaries.