TLS / SSL
TLS certificate checker
Inspect the live TLS certificate for any public hostname. We open a real handshake on port 443, read the peer certificate, and report issuer, validity window, hostname coverage, and signature details. Read-only — no cipher scans, no downgrade tests.
Methodology
- Probe
- We open a TLS handshake to port 443 with the supplied hostname as the SNI, read the peer certificate via getPeerCertificate(true), and validate the hostname against subjectAlternativeName via tls.checkServerIdentity.
- Counts as DOWN
- The TLS handshake fails entirely (TCP refused, handshake timeout, or rejected ClientHello) — we couldn't read a certificate at all.
- Counts as DEGRADED
- Reserved for soon-to-expire certificates and warning-only validation issues like a self-signed cert. Browsers may still warn even when our check labels the cert valid.
- Detail
- All certificate details come from getPeerCertificate(true) on the established socket. We do not enumerate cipher suites, test downgrade attacks, or scan for protocol-level weaknesses; this is read-only certificate inspection.
- Cadence
- Every 5 minutes, in parallel across 4 monitoring regions (US East Virginia, US West Oregon, Europe London, Asia Singapore).
- Rate-limited targets
- If a host returns 429 or consistently drops connections from our IPs, we cap retries at 3 and report the last observed status — we do not flood the target to confirm the outage.
- Data source
- Direct probes from our monitoring infrastructure. We do not aggregate crowd reports, Twitter mentions, or DownDetector signals — every result on this page is a live network request.
Related
- Multi-region HTTP probe — live status of any site from US East / US West / EU / Asia.
- How multi-region checks work
- DNS propagation explained