Check any domain's TLS certificate — expiry, issuer, chain integrity, hostname coverage, and key strength. Equivalent to openssl s_client -connect domain:443 but readable.
| Check | Requirement | Browser error if failed |
|---|---|---|
| Expiry | Certificate within notBefore / notAfter validity period | ERR_CERT_DATE_INVALID |
| Hostname | Domain listed in Subject Alternative Names (SAN extension, RFC 5280) | ERR_CERT_COMMON_NAME_INVALID |
| Chain | Leaf + intermediate CA(s) served — root CA trusted by browser | ERR_CERT_AUTHORITY_INVALID |
| Key strength | RSA ≥ 2048-bit or ECDSA ≥ 256-bit (P-256 / P-384) | Certificate flagged as weak |
| Sig algorithm | SHA-256 or better — SHA-1 deprecated since 2016 (CA/B Forum) | Rejected by Chrome / Firefox |
| CT logging | Certificate Transparency log entry (SCT) — mandatory since 2018 | ERR_CERTIFICATE_TRANSPARENCY_REQUIRED |