Overview
Use it when the format needs to change, not the meaning
Use SSL Certificate Inspector when you need a quick read of the certificate a public TLS endpoint is currently serving on a hostname and port.
Expiry checks
Confirm a certificate is still valid and spot endpoints that are close to expiry before an incident.
Hostname debugging
Check SAN coverage and common name details when a hostname mismatch or SNI issue is suspected.
Issuer review
Review issuer, subject, fingerprints, and self-signed signals without reaching for OpenSSL commands.
Supported inputs
Bring clean source text and keep the direction straight
- Accepts a public hostname plus an optional TLS port. Leave the port blank to use 443.
- Rejects URLs, IP addresses, and private or internal hostnames.
- Inspects the leaf certificate only in v1 and summarizes SAN coverage, issuer details, and validity dates.
Walk through it
Follow the same sequence you see in the tool
Workflow
Inspect a live certificate
Use this flow when you need the currently served leaf certificate for one hostname.
- Enter the public hostname and leave the port blank unless the service uses a non-standard TLS port.
- Run the inspection and review the summary card for issuer, CN, and validity timing.
- Check SAN names, fingerprints, and verdict cards before you escalate or rotate the certificate.
Workflow
Troubleshoot certificate coverage
Use this flow when browsers or clients report trust or hostname problems.
- Compare the requested hostname to the SAN list and common name coverage verdict.
- Review the issuer and self-signed check to see whether the endpoint is using an internal or unexpected certificate.
- Use the validity dates and fingerprints to confirm you are looking at the right deployment target.
What you get
Check the result before you copy it into the next step
Certificate summary
A top-level summary shows the normalized hostname, port, issuer, subject CN, and validity window.
Verdict checks
Expiry, hostname coverage, validity timing, and self-signed signals are surfaced as quick checks.
Leaf certificate details
Subject, issuer, SAN names, serial identifiers, and SHA fingerprints are normalized into copy-ready sections.
Avoid these mistakes
Small input problems create the biggest conversion errors
Pasting a full URL
Enter only the hostname. Do not include `https://`, paths, or query strings.
Forgetting a custom TLS port
If the service terminates TLS on a different port, enter that port before you run the check.
Expecting chain analysis
This v1 tool shows the served leaf certificate only, not the full certificate chain.
Glossary
Decode the terms before you act on them
This section translates the most technical labels on the page into plain language so you can interpret the output without opening another tab.
SAN
SAN stands for Subject Alternative Name. It is the list of hostnames or IP entries a certificate is allowed to identify. Browsers usually check this list before they check anything else.
Common name
The common name is an older certificate identity field. If a SAN list exists, clients usually rely on the SANs first and only fall back to the common name when SANs are absent.
Issuer
The issuer is the certificate authority or signing certificate that created the certificate you are inspecting. It tells you who vouched for that certificate.
Self-signed
A self-signed certificate is signed by the same identity it represents instead of by a separate certificate authority. That can be fine for internal systems, but public browsers usually will not trust it automatically.
Fingerprint
A fingerprint is a short hash of the certificate itself. Teams use it to confirm they are looking at the exact same certificate across logs, inventory systems, and support tickets.