Toolypet
SECURITY TOOL

SSL Certificate Checker

Inspect SSL/TLS certificate details including issuer, validity period, key strength, and security grade. Demo tool for UI demonstration purposes.

Enter a domain name without protocol (e.g. example.com)

This is a demo tool that generates sample certificate data for UI demonstration purposes. No actual network requests are made.

Enter a domain name to check its SSL certificate

The TLS Handshake: How Trust Is Established

The Chain of Trust

When your browser connects to a website, it receives the server's certificate and verifies a chain of trust: the server cert is signed by an intermediate CA, which is signed by a root CA that your browser trusts. There are approximately 150 root CAs trusted by major browsers. If any link in the chain is invalid, expired, or revoked, the browser shows a security warning. This system ensures that a certificate for “bank.com” can only be issued by an authorized CA, not by a random attacker.

TLS 1.3: The Modern Standard

TLS 1.3 (released 2018) reduced the handshake from 2 round trips to 1 round trip(and 0 for resumed connections), improving page load times by 100–200ms. It removed all legacy cipher suites — no more RC4, 3DES, or CBC modes. Only 5 cipher suites remain, all using AEAD encryption (AES-GCM or ChaCha20-Poly1305). TLS 1.3 also eliminated RSA key exchange, mandating forward secrecyvia ephemeral Diffie-Hellman — even if a server's private key is later compromised, past sessions remain encrypted.

Certificate Lifetimes and Automation

Let's Encrypt issues certificates valid for 90 days, encouraging automated renewal via ACME protocol (certbot, Caddy). Commercial CAs issue 1-year certificates (previously up to 3 years, reduced by browser vendors in 2020). Apple has proposed reducing maximum lifetime to 45 days by 2027. The trend is clear: shorter lifetimes reduce the window of exposure from compromised keys. Automation is no longer optional — it's a security requirement.

What the Grade Measures

SSL grading evaluates multiple factors: Protocol support (TLS 1.3 = best, TLS 1.0 = fail). Key exchange (ECDHE 256-bit = A, RSA 1024-bit = F). Cipher strength (AES-256-GCM = best, RC4 = fail). Certificate validity (valid chain, not expired, not revoked). An A+ requires all of the above plus HSTS with a max-age of at least 6 months and includeSubDomains. The difference between A and A+ is often just one missing HSTS header.

Frequently Asked Questions

What is Certificate Transparency and why does it matter?

Certificate Transparency (CT) is a public log of all issued certificates. When a CA issues a certificate, it must submit it to CT logs within 24 hours. Browsers like Chrome reject certificates without CT proof. This system caught rogue CA activity multiple times — including a 2015 incident where a Chinese CA issued unauthorized certificates for Google domains. You can search CT logs at crt.sh to see every certificate ever issued for your domain.

Should I use RSA or ECDSA for my certificate key?

ECDSA (Elliptic Curve) keys are recommended for new deployments. A 256-bit ECDSA key provides equivalent security to a 3072-bit RSA key, but with smaller certificates and faster handshakes. TLS 1.3 handshakes with ECDSA P-256 are approximately 2x faster than RSA-2048. Most CAs, including Let's Encrypt, now support ECDSA certificates by default.

What happens when a certificate expires mid-session?

Existing connections are not interrupted — the certificate is only validated during the TLS handshake, not during data transfer. However, new connections will fail with a certificate error. Most users will see a browser warning page and leave. For high-traffic sites, even 5 minutes of expired certificate can mean thousands of lost visitors. This is why monitoring tools send alerts 30+ days before expiration.