Certificate Checker

What is this tool?

Certificate Checker lets you inspect SSL/TLS certificates from any server by IP address or hostname. Unlike browser-based tools, it can:

Connect directly to IP addresses (bypassing DNS)
Check servers that don't have DNS entries
Detect missing intermediate certificates in the chain
Compare certificates across multiple servers

Form Fields Explained

Hostname or IP (required)

Enter either a domain name (example.com) or an IP address (199.60.123.1). The tool will connect directly to this address on the specified port.

Port

The port to connect to. Defaults to 443 (standard HTTPS). Use other ports for non-standard setups (e.g., 8443).

SNI Hostname (optional)

Server Name Indication - the hostname sent during the TLS handshake. Use this when:

Connecting to an IP that hosts multiple sites (virtual hosting)
The server needs to know which certificate to present
Testing what certificate a specific hostname would receive

Example: Connect to IP 199.60.123.1 with SNI api.example.com to see what certificate that hostname would get from that server.

Check CN/SAN match (optional)

After retrieving the certificate, verify that it's valid for a specific hostname. This checks if the hostname appears in the certificate's:

Common Name (CN) - the primary hostname in the subject
Subject Alternative Names (SANs) - additional hostnames the cert covers

Wildcards are supported: a cert for *.example.com will match api.example.com.

Common Use Cases

1. Check a Server by IP Address

When you have an IP but no DNS entry, connect directly:

Hostname or IP: 199.60.123.1
Port: 443
SNI: www.example.com
Check CN/SAN: www.example.com

2. Check an Internal Server

Verify certificates on internal infrastructure:

Hostname or IP: 10.0.0.50
Port: 443
SNI: api.internal.com

Note: Private IPs (10.x, 192.168.x, etc.) are blocked by default. The server must be started with ALLOW_PRIVATE_IPS=true to check internal servers.

3. Compare Certificates Across Servers

Use batch mode to check multiple IPs and ensure they all have the same certificate:

199.60.123.1:443:example.com
199.60.123.2:443:example.com
199.60.123.3:443:example.com

Batch Format

One check per line:

host:port[:sni[:validate]]

Field	Required	Description
`host`	Yes	IP address or hostname
`port`	Yes	Port number (usually 443)
`sni`	No	SNI hostname for TLS handshake
`validate`	No	Hostname to check against CN/SAN

Examples:

example.com:443
199.60.123.1:443:example.com
199.60.123.1:443:example.com:www.example.com

Understanding Results

Certificate Owner

Who the certificate was issued to:

CN - Common Name (primary hostname)
O - Organization name
OU - Organizational Unit
L, ST, C - Location, State, Country

Issued By

The Certificate Authority (CA) that signed this certificate. Examples: DigiCert, Let's Encrypt, Sectigo.

Subject Alternative Names (SANs)

All hostnames this certificate is valid for. Modern certificates use SANs instead of CN for hostname validation.

Certificate Chain

The chain of trust from your certificate to a root CA:

Leaf (Server) - Your server's certificate
Intermediate - CA's intermediate certificate(s)
Root CA - Trusted root certificate

Missing intermediates? If the chain only shows the leaf certificate, your server isn't sending intermediate certificates. This causes validation failures for clients that don't have the intermediate cached.

Rate Limits

To prevent abuse, requests are rate limited:

Endpoint	Limit
Single check	10 requests per minute
Batch check	2 requests per minute (max 25 items per batch)

API Access

This tool provides a REST API for programmatic access. See the API Reference for full documentation with interactive examples.

Help & Documentation