Skip to content

SSL Checker

The InteSys SSL Checker validates SSL/TLS certificates and connection security for any domain or hostname. Access it at intesys.io/tools/sslchecker.

What It Checks

Certificate Validation

  • Validity period — Is the certificate currently valid (not expired or not yet active)?
  • Common Name / SANs — Does the certificate match the requested hostname?
  • Issuer — Which Certificate Authority issued the certificate?
  • Chain completeness — Are all intermediate certificates properly configured?
  • Signature algorithm — Is the certificate using a modern signing algorithm (SHA-256 or better)?

Protocol and Cipher Support

  • TLS versions — Which TLS versions are supported (1.2, 1.3)?
  • Cipher suites — Are strong cipher suites prioritized?
  • Key exchange — Is forward secrecy (ECDHE) enabled?
  • Key size — RSA 2048+ or ECDSA 256+ bits?

STARTTLS Support

The SSL Checker supports STARTTLS testing for mail servers. This checks the TLS upgrade on:

  • SMTP (port 25 and 587)
  • IMAP (port 143)
  • POP3 (port 110)

Test Your Mail Server

Enter your mail server hostname (e.g., mail.example.com) and enable the STARTTLS option to verify that your email connections are properly encrypted.

How to Use

  1. Navigate to intesys.io/tools/sslchecker
  2. Enter the hostname you want to check (e.g., www.example.com)
  3. Optionally specify:
    • Port — Default is 443; change for non-standard ports
    • STARTTLS — Enable for mail server testing
  4. Click Check
  5. Review the results

Understanding Results

Certificate Details

Field Description
Subject The domain(s) the certificate covers
Issuer The Certificate Authority that signed it
Valid From Start of the validity period
Valid Until Expiration date — renew before this date
Serial Number Unique identifier for the certificate
Fingerprint SHA-256 hash for verification

Common Issues

Certificate Expired

An expired certificate will cause browsers to display security warnings and may break API connections. Renew immediately and consider using automated renewal (certbot, cert-manager).

Incomplete Chain

If intermediate certificates are missing, some clients (especially mobile devices and older systems) will fail to validate your certificate even though it appears valid in desktop browsers. Ensure your server sends the full certificate chain.

TLS 1.0/1.1 Enabled

TLS 1.0 and 1.1 are deprecated and contain known vulnerabilities. Disable them and require TLS 1.2 or higher. Modern clients all support TLS 1.2+.

Best Practices

  • Automate renewal — Use Let's Encrypt with certbot or cert-manager for automatic certificate renewal
  • Monitor expiration — Check certificates at least 30 days before expiry
  • Use TLS 1.3 — Offers better performance and security than TLS 1.2
  • Enable HSTS — Enforce HTTPS with the Strict-Transport-Security header
  • Test after changes — Re-run the SSL Checker after any certificate or server configuration changes