HCODX/SSL Checker
Powered by SSL Labs · A+ to F grade

SSL Checker: certificate, chain, grade & expiry

Free in-browser SSL checker. The default Quick check opens a live TLS handshake to the host via ssl-checker.io and returns the certificate, issuer, expiry, days remaining, fingerprint and HSTS preload status in 2–4 seconds. Need the full A+ → F grade with every cipher suite and protocol? Click Deep scan for a Qualys SSL Labs grade (60–120 s).

idle

Quick check returns the cert, expiry, HSTS preload & CT history in 2–4 seconds. Deep scan adds Qualys' full A+→F grade with every cipher suite — 60–120 seconds.

Use cases

When to run an SSL certificate check

Cert about to expire

Spot certificates within 30 days of expiry and renew before browsers show the dreaded NET::ERR_CERT_DATE_INVALID page.

Aim for A+

See exactly which cipher suites, protocol versions or HSTS settings are dragging you down from A+ on SSL Labs.

Debug a chain issue

"Why does my site work in Chrome but not curl?" — usually a missing intermediate. The cert card lists the full chain so you know what's missing.

Spot rogue certs

The Certificate Transparency card via crt.sh shows every certificate ever issued for the domain — perfect for catching unauthorised issuance.

HSTS preload check

Verify whether your domain is in Chromium's HSTS preload list and what gaps stop it from being added.

TLS 1.3 audit

Confirm TLS 1.3 is enabled and weak protocols (SSLv3, TLS 1.0, TLS 1.1) are disabled — required for PCI-DSS compliance.

Step by step

How to use the SSL checker

1

Enter a hostname

Type example.com — no protocol, no path. The tool strips https:// automatically if you paste a full URL.

2

Click Run scan

SSL Labs returns a cached result in under 5 seconds when one is available within the last 24 hours; a fresh scan takes 60–120 seconds.

3

Read the grade tile

The big A+ → F tile is your headline result. A is good; A+ requires HSTS with a long max-age. Everything below B needs fixing.

4

Drill into the cards

Certificate, Protocols, Cipher suites (grouped by TLS 1.3 / 1.2 / legacy), HSTS preload, Certificate Transparency, plus the raw SSL Labs JSON for deep audits.

About

About SSL / TLS, the SSL Labs grade and Certificate Transparency

An SSL certificate (more accurately a TLS certificate) is the file your web server presents to browsers to prove its identity and bootstrap an encrypted connection. This online SSL checker queries Qualys' free SSL Labs API, layers on crt.sh Certificate Transparency history, and the official hstspreload.org status — all without uploading anything or sharing your scan publicly (publish=off is set automatically).

What the SSL Labs grade means

A+ = strong defaults + HSTS with a long max-age + no weak ciphers. A = strong defaults but no preload-eligible HSTS. B = mostly fine but support for an outdated cipher or missing forward secrecy. C / D = weak protocols enabled (TLS 1.0 / 1.1) or weak ciphers. F = the certificate is broken (expired, self-signed, name mismatch) or the server still speaks SSLv3.

Certificate chain & intermediates

A server certificate is signed by an intermediate certificate which is signed by a root. Browsers trust the root; the server must send the full chain so the browser can walk back up. The most common "works in Chrome, fails in curl" bug is forgetting to include the intermediate in your nginx / Apache / Caddy config. The Certificate card here lists every link in the chain so the gap is obvious.

HSTS and the preload list

HSTS (HTTP Strict Transport Security) is a response header that tells browsers "only ever load me over HTTPS". With a long enough max-age (≥ 31536000 seconds = 1 year), includeSubDomains, and the preload directive, you can submit your domain to hstspreload.org and Chrome / Firefox / Safari will hard-code your domain as HTTPS-only — even on a first-ever visit. The HSTS Preload card in this tool tells you whether you're already on the list, and lists eligibility errors / warnings if not.

Certificate Transparency (CT)

Every TLS certificate issued by a major CA since 2018 is publicly logged. The CT log lookup via crt.sh shows you every cert that exists for your domain — including ones a rogue employee, a phishing attacker, or a compromised CA might have issued without your knowledge. If you see a Let's Encrypt cert that you didn't issue, investigate immediately.

TLS 1.3 vs 1.2, cipher suites

TLS 1.3 is faster (one round-trip handshake) and removes every weak crypto primitive — there are only five cipher suites in TLS 1.3 and all are safe. TLS 1.2 is still acceptable as a fallback for older clients; TLS 1.0 / 1.1 are deprecated and disabled in all current browsers. The tool groups your server's cipher suites by version so weak ones stand out.

OCSP stapling

OCSP (Online Certificate Status Protocol) lets a browser ask the CA "is this cert still valid?". OCSP stapling moves that question onto your server, which periodically asks the CA itself and attaches a fresh, signed response to every TLS handshake — saving every visitor an extra round-trip and protecting their privacy. Enabling it is one of the easiest A → A+ upgrades.

FAQ

SSL Checker — frequently asked questions

A full SSL Labs scan probes every cipher suite and protocol from multiple test rigs, then re-checks against known vulnerability databases. The first scan of a host can take 90–120 s. Cached results return instantly.

A+ is the best. A means strong defaults. B / C indicate weaker ciphers or protocol gaps. F means broken — typically a self-signed or expired certificate, or an unsupported TLS version.

SSL Labs publishes a public list of recent scans by default. This tool sets publish=off automatically, so your scan is not added to that list.

Related

Related tools