wiredepth
Run a check

Free tool · TLS / SSL

TLS / SSL certificate checker

Inspect any public domain's TLS certificate, supported protocols, cipher suites, and HSTS posture in one shot. No signup, no email gate.

What this tool checks

We perform a live TLS handshake against the host on port 443 and inspect what the server actually returns - issuer, subject, SAN list, validity window, and the SHA-256 fingerprint of the leaf cert. Then we walk the certificate chain to verify it terminates at a publicly-trusted root, flagging any chain breaks.

On the protocol side we negotiate down through TLS 1.3, 1.2, 1.1, and 1.0 to surface what's enabled, then enumerate the cipher suites the server is willing to use. Outdated protocols (TLS 1.0/1.1) and weak ciphers cost you points; modern AEAD ciphers and TLS 1.3 are full credit.

We also probe HSTS - whether the response sends the Strict-Transport-Security header, the max-age value, and whether includeSubDomains and preload are set. HSTS is what makes "https only" actually stick after the first visit; missing it leaves customers vulnerable to SSL-strip attacks on subsequent visits.

How to read the results

Days to expiry is the field that bites you most often - any cert under 14 days is a posture incident waiting to happen, and most outages we see come from a forgotten cert on a non-production endpoint (8443, 3128, internal admin panels). Wiredepth Pro monitors expiry continuously across all your endpoints; this free tool is the one-shot version.

Chain status being "incomplete" means the server isn't sending all intermediate certs - browsers usually paper over this via AIA fetching, but some clients (curl without ca-bundle, IoT devices, older Java) will fail outright. Always serve the full chain.

HSTS preload: if you've submitted to the HSTS Preload list and the header doesn't include preload + includeSubDomains + max-age ≥ 31536000, the preload submission is invalid and you've wasted the submission. Common gotcha.

Frequently asked questions

What does this TLS checker actually do?

It opens a real TLS connection to your domain on port 443, completes the handshake, and reads back the certificate chain plus the negotiated protocol and cipher suite. Then it walks the chain to verify it terminates at a publicly-trusted root and parses the response headers for HSTS posture.

Is the check free? Do I need to sign up?

Yes, free. No signup, no email gate. Wiredepth Pro adds continuous monitoring across all your endpoints with alerts on cert expiry, chain breaks, unusual issuers, and HSTS regression.

Does it work for non-443 endpoints?

This free tool checks port 443. Wiredepth Pro extends to any port - admin panels on 8443, proxies on 3128, internal services. Most monitors are 443-only and silently miss expirations on those endpoints.

How is "grade" calculated?

A composite of cert validity (no expiry, full chain, modern signature algorithm), protocol posture (TLS 1.3 enabled, no TLS 1.0/1.1), cipher suite quality (AEAD ciphers preferred, no RC4 / DES / EXPORT), and HSTS strength. Roughly aligned with SSL Labs methodology but stricter on weak protocols.

My grade is C but I have a valid cert - why?

Grade combines cert + protocol + HSTS. A perfectly valid cert paired with TLS 1.0 enabled and no HSTS will land at C. The grade rewards the full posture, not just the cert.

Does it work for self-signed or internal certs?

Only public domains - we connect from our infrastructure, so private CAs and self-signed certs on internal hosts are unreachable. For internal hosts use the Wiredepth on-prem probe (Enterprise tier) which runs the same checks from inside your network.

Related free tools

DMARC analyzer

Inspect DMARC, SPF, and policy strength.

Security headers checker

HSTS, CSP, X-Frame-Options, referrer policy.

DNS health checker

DNSSEC, CAA, NS, MX, expiry, blacklists.

MTA-STS + TLS-RPT checker

Mail transport security inspection.