Free TLS / SSL Certificate Inspector
Two modes. In hostname mode, the server performs a real TLS handshake against the host and port you specify, then returns the full certificate chain plus the negotiated protocol version and cipher. In PEM mode, paste a certificate (or chain) and decode every X.509 field locally in your browser using @peculiar/x509.
How to use
- 01Hostname mode: type a hostname (default port 443) and click Inspect. Within a second you see the protocol (TLS 1.3, TLS 1.2, etc.), the cipher suite, whether the chain is trusted by Mozilla CAs, and every certificate from leaf to root.
- 02Each cert card shows subject, issuer, validity dates with days-to-expiry color, serial number, SHA-1 and SHA-256 fingerprints, public key algorithm and size, key usage, extended key usage, basic constraints, and Subject Alternative Names.
- 03Click the PEM disclosure under any cert to download the encoded certificate ready for use.
- 04PEM mode: paste a -----BEGIN CERTIFICATE----- block. The decode runs entirely in your browser; no key material is sent over the network.
FAQ
Why does hostname mode need a server?▼
Browsers cannot perform raw TLS connections. The TLS handshake happens below the HTTP layer. To fetch the peer certificate from any hostname, the request must originate from a server-side process (Node.js tls.connect). The endpoint runs on Vercel's Node runtime, not edge.
What does "trust" mean in the result?▼
It means the certificate chain validates against Node.js's built-in CA bundle (Mozilla's root list). A self-signed cert, an expired cert, or a cert whose chain root is not in Mozilla's list will show as untrusted with the specific reason.
Why does the chain sometimes have only one cert?▼
Some servers send only the leaf certificate and rely on AIA Issuer fetching by the client. Browsers do this transparently; this tool reports what the server sent over the wire. If the chain looks short, configure the server to send the intermediate certificates explicitly.
What is the difference between TLS 1.2 and TLS 1.3?▼
TLS 1.3 (2018) is the modern standard. It removes weak ciphers, mandates forward secrecy, and reduces handshake round-trips from 2 to 1 (or even 0 for resumed sessions). TLS 1.2 still works and is widely deployed but lacks these improvements. Aim for TLS 1.3 wherever possible.
Why do I see "Self-signed"?▼
The certificate's subject and issuer DN are identical, meaning it was signed by its own private key. Self-signed certs are common for internal services, dev environments, and root CAs themselves. They are not trusted by browsers without manual installation.
Are private keys ever needed?▼
No. This tool reads only public certificates. Never paste a private key into any web tool, including this one.
Can I inspect non-443 ports?▼
Yes. Many SMTP, IMAP, and database servers run TLS on different ports (587, 465, 993, 5432, 6379). Set the port field accordingly.
Can I scan internal hosts?▼
No. The endpoint blocks RFC 1918, loopback, and link-local addresses to prevent the public site being used as a reflection scanner against private networks.