SSL/TLS Certificate Checker

Analyze any domain's SSL/TLS security and get an instant grade from A+ to F — covering HTTPS, HSTS, certificate expiry, CT logs, and DANE records.

Part of AppSec Santa's free website security scanners — five browser tools, no signup.

HTTPS & Transport Security

Verify that your site enforces encrypted connections at every step — from the initial request to the browser cache.

HTTPS availability and response check
HTTP to HTTPS redirect verification
HSTS header analysis (max-age, preload)
HTTPS downgrade protection

🔒

HTTPS

Encrypted connection verification

→

HTTP Redirect

Automatic upgrade to HTTPS

🛡

HSTS

Browser-enforced HTTPS policy

▼

Downgrade Protection

Prevents HTTPS to HTTP fallback

Certificate Health Monitoring

Catch expiring certificates before they break your site. See your issuer, validity dates, and whether your cert appears in public CT logs.

Certificate expiry and days remaining
Certificate Transparency log verification
Trusted Certificate Authority check
Subject Alternative Names (SANs)

Example Results

HTTPS Available +15

HSTS Configuration +15

Certificate Expiry -5

Certificate Issuer +10

Advanced DNS-Based Security

Go beyond basic certificate checks. Verify that your domain uses DNS-level protections like DANE/TLSA and that HTTPS connections can't be silently downgraded.

DANE/TLSA DNS record detection
HTTPS downgrade attack prevention
Certificate binding via DNS
Redirect chain analysis

Certificate Details

; Certificate Info
Issuer:     Let's Encrypt (R3)
Valid From: 2025-12-01
Valid To:   2026-03-01
Days Left:  21 days
CN:         example.com

; Subject Alternative Names
example.com
*.example.com

; DANE/TLSA
No TLSA records found

SSL/TLS Scan: —

Score: 0 / 100

Scan Time: —

Tests Passed: 0 / 0

Test	Score	Reason	Recommendation

What Is SSL/TLS Security?

SSL/TLS (Secure Sockets Layer / Transport Layer Security) encrypts data between browsers and servers. Proper SSL/TLS configuration prevents eavesdropping, man-in-the-middle attacks, and content tampering. Our tests cover the full transport security chain: from certificate validity to browser enforcement policies. Test selection follows the OWASP TLS Cheat Sheet and relevant IETF standards.

TLS

HTTPS Available

+15 / -20

HTTPS encrypts all traffic between the browser and your server using TLS. Without HTTPS, all data — passwords, form submissions, cookies — is sent in plain text and can be intercepted by anyone on the network. HTTPS is the foundation of web security and a ranking factor for search engines.

Reference: RFC 8446 (TLS 1.3), RFC 9325

301

HTTP→HTTPS Redirect

+10 / -10

When users type a URL without "https://", browsers default to HTTP. A 301 redirect from HTTP to HTTPS ensures every visitor gets the encrypted version automatically. Without this redirect, users who reach your site over HTTP stay on an unencrypted connection.

Reference: RFC 7231 §6.4.2

STS

HSTS Configuration

+15 / -15

HTTP Strict Transport Security (HSTS) instructs browsers to only connect via HTTPS for a specified duration. This prevents SSL stripping attacks where an attacker intercepts the initial HTTP request. Best practice: max-age=31536000 (1 year), includeSubDomains, and preload for browser preload list inclusion.

Reference: RFC 6797 · hstspreload.org

EXP

Certificate Expiry

+15 / -15

Expired certificates cause browsers to display security warnings that drive visitors away. Certificates have a limited validity period (typically 90 days for Let's Encrypt, 1 year for commercial CAs). Auto-renewal via ACME protocol eliminates the risk of accidental expiration.

Reference: RFC 8555 (ACME)

Certificate Transparency

+10 / -10

Certificate Transparency (CT) logs are public, append-only records of every certificate issued by participating CAs. Domain owners can monitor these logs to detect unauthorized or misissued certificates. Chrome requires all certificates to be logged to CT since April 2018.

Reference: RFC 6962 · certificate.transparency.dev

Certificate Issuer

+10 / -5

Certificates must be issued by a Certificate Authority (CA) trusted by browsers and operating systems. Self-signed certificates or certificates from unknown CAs will trigger browser warnings. Well-known CAs include Let's Encrypt, DigiCert, Sectigo, and GlobalSign.

Reference: Mozilla CA Certificate Policy

DANE/TLSA Records

+10 / 0

DANE (DNS-based Authentication of Named Entities) uses TLSA records in DNS to specify which TLS certificate a domain should present. This provides an alternative trust path independent of the CA system. DANE requires DNSSEC and is primarily used in mail server security (MTA-STS/DANE). No penalty for missing it.

Reference: RFC 6698, RFC 7671

HTTPS Downgrade Protection

+10 / -15

An HTTPS response that redirects to HTTP downgrades the user from an encrypted to an unencrypted connection. This can happen due to misconfigured redirects or mixed-content issues. HTTPS should never redirect to HTTP — it defeats the purpose of encryption and exposes users to interception.

Reference: RFC 9325 §3.1

Scoring Methodology

The score starts at 100 and is adjusted by modifiers from each of the 8 SSL/TLS security tests. Positive modifiers reward good configuration; negative modifiers penalize missing or weak settings. The final score maps to a 13-grade scale from A+ to F. Test selection follows the OWASP TLS Cheat Sheet and relevant IETF RFCs. Certificate data is sourced from crt.sh Certificate Transparency logs.

Test	Pass	Fail	Weight
HTTPS Available	+15	-20	Critical
HTTP→HTTPS Redirect	+10	-10	High
HSTS Configuration	+15	-15	High
Certificate Expiry	+15	-15	High
Certificate Transparency	+10	-10	Medium
Certificate Issuer	+10	-5	Medium
DANE/TLSA Records	+10	0	Bonus
HTTPS Downgrade Protection	+10	-15	High

Standards & References

Each test maps to published standards. We follow OWASP transport security recommendations and validate against the IETF specifications that define each protocol.

TLS 1.3 RFC 8446 — Transport Layer Security 1.3

TLS Best RFC 9325 — TLS/DTLS Recommendations

HSTS RFC 6797 — HTTP Strict Transport Security

DANE RFC 6698, 7671 — DANE/TLSA

CT RFC 6962 — Certificate Transparency

ACME RFC 8555 — Automated Certificate Management

OWASP TLS Cheat Sheet

CT Data Certificate data from crt.sh (open source)

Check Your Other Security Layers Too

SSL/TLS is one layer. HTTP security headers protect against XSS, clickjacking, and content injection. DNS security prevents spoofing and email fraud. Run all three checks for a complete picture.

Check Security Headers Check DNS Security