Convertful
ImagePDFVideoUtilityBlog

Image Tools

  • Compress Image
  • Resize Image
  • Remove Background
  • HEIC to JPG
  • All Image Tools →

PDF Tools

  • Compress PDF
  • Merge PDFs
  • Split PDF
  • PDF to Images
  • All PDF Tools →

Video & Audio

  • Video to GIF
  • Compress Video
  • Trim Video
  • Extract Audio
  • All Video Tools →

Utility

  • QR Code Generator
  • JSON Formatter
  • Color Converter
  • All Utility Tools →
All processing happens in your browser. Your files never leave your device.
AboutBlogTermsPrivacyContact
© 2026 Convertful. All rights reserved.
HomeUtilitySSL Checker

SSL Checker

Quick TLS health check: cert issuer, expiry, SANs, HSTS. Free, private, runs in your browser.

This tool needs a server because the browser can’t fetch arbitrary cross-origin URLs. Our Cloudflare Worker fetches the public URL you typed and returns the parsed result — nothing is stored.

The bare hostname only — we’ll connect over HTTPS automatically. Paths are stripped.

How this works: our Cloudflare Worker probes the host over HTTPS and queries crt.sh for cert metadata — nothing is stored. For deeper cipher / chain audits, use SSL Labs.

You might also need

OpenGraph PreviewPreview how a URL appears as a Twitter / Facebook / LinkedIn share card
Robots.txt TesterCheck whether Googlebot can crawl a URL, with rules grouped by User-Agent
Subnet CalculatorIPv4 subnet details — network, broadcast, hosts, wildcard, binary, splitting
URL Encode / DecodeEncode or decode URL strings

What This Tool Checks

SSL Checker is a quick health check for a domain's HTTPS setup. We confirm the host is reachable over HTTPS, read its Strict-Transport-Security header, and pull cert metadata from public Certificate Transparency logs — issuer, validity dates, days-until-expiry, and the SAN list. It's the kind of check you run before a renewal, after migrating a CDN, or to verify a customer's complaint. Not a substitute for SSL Labs' deep cipher / chain / TLS-protocol audit; meant for the 30-second 'is it healthy?' answer.

What We Don't Check — And Why

We don't show TLS protocol versions (1.2 / 1.3) because a Cloudflare Worker can't reliably inspect its own outbound TLS handshake version — the data we'd surface would be null for most hosts in practice. We don't render a certificate chain (leaf → intermediate → root) because crt.sh returns a flat list of certificates without the chain relationships we'd need to draw that tree. Both are genuinely useful diagnostics, but we'd rather surface nothing than surface something inaccurate. For a rigorous TLS protocol / cipher / chain / vulnerability audit, run SSL Labs (ssllabs.com) — that's the gold-standard tool for that level of depth.

Where The Data Comes From

Two sources combined. First, our own HTTPS request to the host — we look at the response status and the Strict-Transport-Security header. Second, crt.sh, the public Certificate Transparency log search index — every cert issued by a public CA is logged there within seconds of issuance. We query for the host, filter to the most recent active entry, and parse out the issuer, validity, and SANs.

How To Read The Expiry Traffic-Light

Green: more than 30 days until expiry. You're fine. Yellow: 8 to 30 days. Schedule the renewal now — don't let it slip. Yellow also fires when HSTS isn't configured even if the cert is healthy, because HSTS is the single most impactful TLS hardening you can apply. Red: 7 or fewer days, expired, or unreachable. Drop everything and renew. Modern automated cert flows (Let's Encrypt + cert-manager, ACM, Cloudflare Universal SSL) effectively never let you hit red — if you're seeing red, the automation is broken.

HSTS In One Paragraph

Strict-Transport-Security is a response header that tells browsers 'never visit me over plain HTTP again, for the next N seconds.' Once a browser sees a valid HSTS header from a domain, it refuses to make any HTTP request to it — strict upgrade. The 'preload' flag opts the domain into Chrome's hardcoded preload list so first-time visitors are protected too. You want max-age of at least 31536000 (1 year), includeSubDomains, and (for high-traffic sites) preload. Yellow flags when missing.

Privacy + How The Server Works

Browsers can't read TLS metadata for other origins or call crt.sh directly because of CORS, so we proxy both fetches through a Cloudflare Worker at workers.convertful.app. The Worker performs the host probe + the CT log query and returns a combined report. Nothing is stored — no log of which hosts you check, no caching beyond the Worker's own 5-minute response cache. Your hostname is the only data we see.

FAQ

Where does the data come from?

Two sources. We make our own HTTPS request to the host to confirm reachability and read the Strict-Transport-Security header. We also query the public Certificate Transparency log at crt.sh to pull issuer, validity dates, and SAN list for the most recent active certificate.

This needs a server — what about my privacy?

Yes. Browsers can't read TLS metadata cross-origin or query CT logs without bumping into CORS. Our Cloudflare Worker performs both fetches and returns the combined report. We don't store the hostname, the cert details, or your query.

What do the colours mean?

Green: certificate valid for more than 30 days, host reachable. Yellow: 8-30 days from expiry, or HSTS missing. Red: 7 days or fewer, expired, or unreachable. The bands match common monitoring thresholds.

Does this show TLS protocol versions (1.2 / 1.3) or the cert chain?

No — both are deliberately out of scope. A Cloudflare Worker can't reliably inspect its own outbound TLS handshake version, and crt.sh returns a flat list of certificates without the chain relationships needed to render 'leaf → intermediate → root'. We surface issuer, expiry, SAN list, and HSTS because those are the signals we CAN trust. For a rigorous TLS / chain / cipher / vulnerability audit use SSL Labs (ssllabs.com).