SSL Certificate Checker avatar

SSL Certificate Checker

Pricing

$0.05 / 1,000 checked endpoints

Go to Apify Store
SSL Certificate Checker

SSL Certificate Checker

Check SSL/TLS certificates for public domains, URLs, and host:port endpoints. Export expiry, trust, hostname match, issuer, SANs, chain, TLS, cipher, HSTS, HTTPS redirect, and issue data.

Pricing

$0.05 / 1,000 checked endpoints

Rating

0.0

(0)

Developer

Maxime Dupré

Maxime Dupré

Maintained by Community

Actor stats

0

Bookmarked

2

Total users

1

Monthly active users

10 days ago

Last modified

Share

🔐 SSL certificate checker for public HTTPS endpoints

SSL Certificate Checker is an SSL checker for public domains, full URLs, and host:port HTTPS endpoints. Add targets such as apify.com, https://expired.badssl.com, or www.cloudflare.com:8443, and get one dataset row per endpoint where certificate, TLS, or HTTPS posture was observed.

  • Use an SSL checker to monitor certificate expiry across client, product, staging, and non-443 HTTPS services.
  • Run a TLS checker for negotiated TLS protocol, cipher, trust-chain status, and hostname-match evidence.
  • Use a certificate checker to find expired, self-signed, untrusted, or hostname-mismatched certificates before users hit errors.
  • Run an SSL test that exports issuer, subject, SANs, serial number, SHA-256 fingerprint, and certificate-chain evidence.
  • Build SSL certificate monitoring workflows with Apify schedules, webhooks, API calls, and dataset exports.

The Actor returns certificate validity, expiry, trust status, hostname match, issuer, subject, serial number, SHA-256 fingerprint, SANs, certificate chain, TLS protocol, cipher, HSTS, HTTPS redirect status, and issue reasons. It does not need cookies, login, source accounts, or a certificate-monitoring API key from you. For a quick first run, keep the prefilled examples.

✅ What this SSL certificate checker does

This Actor checks public HTTPS endpoints in bulk. It accepts bare domains, full HTTPS URLs, and explicit host:port values in one input list, then normalizes each target to a host and port before checking it. It flags certificates that are valid, expired, expiring soon, untrusted, self-signed, hostname-mismatched, or using weak TLS evidence when observed. It also checks HTTP-to-HTTPS redirect posture and HSTS headers when available.

The Actor is focused on practical SSL certificate monitoring. It does not run a full SSL Labs-style vulnerability scan, enumerate every supported cipher suite, guarantee OCSP or CRL checks, scan private networks, or keep a long-running alerting daemon outside normal Apify schedules, webhooks, and integrations.

📊 Data you get

Each dataset row represents one observed public endpoint result. Rows can include:

FieldDescription
targetOriginal target you submitted, useful for joining exports back to your list.
host, portNormalized endpoint that was checked.
isValidWhether the certificate is trusted, valid for the host, and not expired.
isExpiringSoon, daysUntilExpiryRenewal warning status and exact days left.
validFrom, validToLeaf certificate validity window.
hostnameMatches, isTrustedSeparate hostname and trust-chain checks.
tlsProtocol, cipherNegotiated TLS version and cipher suite.
issuer, subjectLeaf certificate identity data.
serialNumber, fingerprintSha256Stable certificate identifiers for audits.
subjectAlternativeNamesSAN values served by the certificate.
certificateChainChain subject, issuer, validity, and fingerprint evidence when served.
httpRedirectsToHttps, hstsBasic HTTPS deployment posture.
issuesSource-backed issue codes, severity, and plain-English messages.

You can export the dataset as JSON, CSV, Excel, XML, RSS, or HTML, or use the same results through the Apify API, schedules, webhooks, and integrations.

🚀 How to run it

  1. Open the Actor input.
  2. Add public HTTPS endpoints in Public HTTPS endpoints.
  3. Keep Renewal warning threshold at 30 days, or set your own renewal window.
  4. Start the Actor.
  5. Open the dataset and filter by isValid, isExpiringSoon, daysUntilExpiry, isTrusted, hostnameMatches, or issues.

Use domains when you only need the default HTTPS port. Use full URLs when your source list already contains URLs. Use host:port when you need to check a non-443 HTTPS service.

🧾 Input example

{
"targets": [
"apify.com",
"google.com",
"github.com",
"www.cloudflare.com:8443"
],
"warningThresholdDays": 30
}

Public HTTPS endpoints is the only required input. The renewal warning threshold controls when isExpiringSoon becomes true; it does not change the certificate itself.

📤 Output example

{
"target": "https://api.example.com:8443/health",
"host": "api.example.com",
"port": 8443,
"isValid": true,
"isExpiringSoon": false,
"daysUntilExpiry": 74,
"validFrom": "2025-08-03T00:00:00.000Z",
"validTo": "2026-08-31T23:59:59.000Z",
"hostnameMatches": true,
"isTrusted": true,
"tlsProtocol": "TLSv1.3",
"cipher": "TLS_AES_128_GCM_SHA256",
"issuer": {
"commonName": "Amazon RSA 2048 M02",
"organization": "Amazon",
"country": "US"
},
"subject": {
"commonName": "*.example.com",
"organization": null,
"country": null
},
"serialNumber": "0A1B2C3D4E5F67890123456789ABCDEF",
"fingerprintSha256": "12:34:56:78:90:AB:CD:EF:12:34:56:78:90:AB:CD:EF:12:34:56:78:90:AB:CD:EF:12:34:56:78:90:AB:CD:EF",
"subjectAlternativeNames": ["*.example.com", "example.com"],
"certificateChain": [
{
"subjectCommonName": "Amazon RSA 2048 M02",
"issuerCommonName": "Amazon Root CA 1",
"validFrom": "2022-08-23T22:21:28.000Z",
"validTo": "2030-08-23T22:21:28.000Z",
"fingerprintSha256": "AB:CD:EF:12:34:56:78:90:AB:CD:EF:12:34:56:78:90:AB:CD:EF:12:34:56:78:90:AB:CD:EF:12:34:56:78:90"
}
],
"httpRedirectsToHttps": true,
"hsts": {
"enabled": true,
"maxAgeSeconds": 31536000,
"includeSubdomains": true,
"preload": false
},
"issues": []
}

When an endpoint serves an expired, self-signed, untrusted, or hostname-mismatched certificate, the Actor still saves a row because that is useful observed certificate data. DNS failures, timeouts, unreachable hosts, unsupported private/internal targets, and missing TLS handshakes are logged and skipped instead of being saved as partial dataset rows.

💳 Pricing

This Actor uses pay-per-event pricing. You are charged for each checked endpoint result that is saved to the dataset. The local pricing artifact is set to $0.00005 per checked endpoint, or $0.05 per 1,000 observed endpoint results.

Runs with targets that cannot produce usable certificate, TLS, or HTTPS posture data do not save a result row for those targets.

⚠️ Limits and caveats

The Actor checks public internet endpoints. It is not designed for private intranet scanning or endpoints that require your own internal network access.

isValid is based on observed certificate trust, hostname match, and expiry. A valid certificate does not mean the whole website is secure. This Actor does not replace a full vulnerability scanner, penetration test, SSL Labs report, or certificate authority audit.

HSTS and redirect fields can be null when the posture check cannot be observed for that endpoint. Certificate-chain detail depends on what the server sends during the TLS handshake.

🔌 Integrations

  • Run the Actor from the Apify API when you need certificate checks inside a CI job, renewal dashboard, or internal audit tool.
  • Schedule recurring runs to watch public HTTPS endpoints and send changed results to webhooks.
  • Export datasets as JSON, CSV, Excel, XML, RSS, or HTML for Google Sheets, BI tools, compliance tickets, and reporting workflows.

❓ FAQ

Can I check non-443 HTTPS ports?

Yes. Use host:port, such as www.cloudflare.com:8443, or a full HTTPS URL with a port.

Does the Actor check URLs or only domains?

It accepts both. Full URLs are normalized to the HTTPS host and port for the certificate check. The original target is kept in the output so you can join results back to your input list.

Are bad certificates saved as rows?

Yes, when the endpoint serves certificate or TLS data. Expired, self-signed, untrusted, and hostname-mismatched certificates are useful observed results and are saved with issues.

Do I need cookies, login, or an API key?

No. The Actor checks public SSL/TLS endpoints and does not ask for source credentials.

Why not use the SSL Labs API?

SSL Labs is useful for deep public scans, but this Actor is built for bulk Apify workflows where you need scheduled checks, dataset exports, webhooks, and one row per observed endpoint. It does not try to replace a full SSL Labs-style vulnerability report.

What are SSL certificate checker alternatives?

You can use command-line tools, browser certificate viewers, SSL Labs, certificate authority tools, or custom TLS scripts. This Actor is useful when you need repeatable bulk output through Apify instead of checking endpoints one at a time.

📝 Changelog

  • 0.1: Initial release.

🆘 Support

For issues, questions, or feature requests, file a ticket and I'll fix or implement it in less than 24h 🫡

🔗 Other actors

Made with ❤️ by Maxime Dupré