Skip to content
speedtest.doctor
Speed Test Diagnosis Blog Guides App Embed widgets API & Widget Docs

Tools

Speed & Connection
DNS
IP
Wi-Fi & Local Network
Web / Site
Security & Privacy
Diagnosis (Doctor)
Do a Speed Test

SSL/TLS Checker

Inspect a site's certificate — validity, expiry, chain of trust and protocol. A server-side check, because browsers don't expose the TLS chain to scripts.

In development
Server-side check · in development

Why this one runs on our servers, not in your browser

Your browser validates certificates every time you load an HTTPS page — but it keeps the details to itself. JavaScript can't read the TLS handshake, the certificate chain, the expiry date or the negotiated cipher suite. To surface all of that, the check has to open a real TLS connection from a server. That engine is what we're building next; the interface will land right here.

Certificate validity

Issue and expiry dates — and how many days you have left before renewal.

Chain of trust

Whether the leaf, intermediate and root certificates link up correctly.

Hostname match

That the certificate actually covers the domain you're visiting.

Protocol & ciphers

Which TLS versions and cipher suites the server negotiates.

Run a full diagnosis How we measure

What an SSL/TLS check tells you

Every HTTPS site presents a TLS certificate that proves its identity and encrypts the connection. An SSL/TLS checker opens a secure connection to the server and reads back the details: when the certificate was issued and when it expires, who issued it, whether the full chain of trust resolves to a recognised root, whether it actually covers the hostname you're visiting, and which TLS versions and ciphers the server is willing to use. Together those answer the practical question — "is this site's encryption set up correctly, and will it keep working?".

The single most valuable output is the days-until-expiry countdown. A lapsed certificate takes a site offline for everyone with a scary browser warning, and it almost always happens silently.

How to read a certificate report

Start with expiry: plenty of runway is green, under two weeks is worth acting on. Then confirm the chain is complete — a missing intermediate certificate loads fine in your browser but breaks on other devices, the kind of bug that "works on my machine". Check the hostname matches, and that the server offers TLS 1.2 or 1.3 and not the deprecated 1.0/1.1. A clean report on all four is what earns a top grade.

Frequently asked questions

Why can't this run in my browser like the other tools?
Browser JavaScript has no access to the raw TLS handshake or the certificate chain. The browser validates the certificate itself, behind the scenes, but never exposes the details to scripts. Reading a chain, expiry and cipher suite requires a real TLS connection from a server — which is why this checker is server-side.
How can I check a certificate right now?
Click the padlock in your browser's address bar to view the certificate, or run openssl s_client -connect example.com:443 from a terminal. Our hosted checker will automate this from multiple regions when it ships.
What's the most common SSL problem?
Expired certificates, by a wide margin. A cert silently lapses, and the site throws security warnings to every visitor. Close behind is an incomplete chain — it works in some browsers but fails in others, which is maddening to debug.
What does a good grade depend on?
Modern TLS (1.2 and 1.3), strong cipher suites, a complete and trusted chain, a valid not-expired certificate, and ideally HSTS enabled. Weak protocols like TLS 1.0/1.1 or SSLv3 drag the grade down.

A certificate is one piece of site health

TLS, DNS, routing and response time all decide whether a site is healthy. While the dedicated checker is in development, run the Doctor for the full picture and a plain-language verdict.

Run a full diagnosis