SSL Certificate Inspector - TLS Audit & Expiry Monitor

Monitor SSL certificates at scale — expiry tracking, cipher auditing, chain validation.

Inspect SSL/TLS certificates for any domain and get the full picture: certificate chain, expiry dates, cipher suites, supported TLS versions, subject alt names, issuer details, and a 0-100 security score. Fast enough to audit thousands of hosts in minutes.

Features

• Full certificate chain — leaf + every intermediate cert with subject, issuer, SANs, serial, signature algorithm, key algorithm, key size, OCSP/CRL/issuing URLs
• Chain validation — validates against trusted system root certificates
• Expiry tracking — days_until_expiry, is_expired, valid_from, valid_to
• TLS version detection — probes TLS 1.0, 1.1, 1.2, 1.3 independently and flags deprecated versions
• Cipher suite audit — negotiated cipher name and strength classification (strong / medium / weak)
• Hostname verification — confirms the leaf cert matches the requested host
• Self-signed detection — flags one-off certificates that won't pass real validators
• Security scoring — weighted 0-100 score plus a list of machine-readable issues (expired, expiring_soon, weak_cipher, deprecated_tls, self_signed, hostname_mismatch, short_key, sha1_signature)
• Flexible targets — accepts bare domains, host:port, or full URLs
• Custom ports — works for HTTPS (443), SMTPS (465), IMAPS (993), POP3S (995), or any custom TLS port

Use with AI Agents (MCP)

Connect this actor to any MCP-compatible AI client — Claude Desktop, Claude.ai, Cursor, VS Code, LangChain, LlamaIndex, or custom agents.

Apify MCP server URL:

https://mcp.apify.com?tools=santamaria-automations/ssl-certificate-inspector

Example prompt once connected:

"Use ssl-certificate-inspector to process data with ssl certificate inspector. Return results as a table."

Clients that support dynamic tool discovery (Claude.ai, VS Code) will receive the full input schema automatically via add-actor.

Input

{
  "domains": ["apple.com", "google.com", "github.com"],
  "port": 443,
  "timeoutSeconds": 15,
  "checkCipherSuites": false,
  "verifyHostname": true
}

Field	Type	Default	Description
domains	string[]	—	Domains to inspect. Accepts example.com, example.com:8443, or https://example.com/path.
port	integer	443	Default TLS port when not specified per-domain.
timeoutSeconds	integer	15	Per-connection handshake timeout.
checkCipherSuites	boolean	false	Enumerate supported cipher suites (slower).
verifyHostname	boolean	true	Whether the leaf cert must match the requested hostname.

Output

One record per domain. Example (trimmed) for apple.com:

{
  "domain": "apple.com",
  "port": 443,
  "success": true,
  "certificate_count": 3,
  "certificates": [
    {
      "subject": "CN=www.apple.com,O=Apple Inc.,L=Cupertino,ST=California,C=US",
      "subject_cn": "www.apple.com",
      "subject_alt_names": ["www.apple.com", "apple.com", "store.apple.com"],
      "issuer": "CN=Apple Public EV Server ECC CA 1 - G1,O=Apple Inc.,C=US",
      "issuer_cn": "Apple Public EV Server ECC CA 1 - G1",
      "serial_number": "18446744073709551615",
      "signature_algorithm": "ECDSA-SHA384",
      "public_key_algorithm": "ECDSA",
      "public_key_bits": 256,
      "not_before": "2025-11-12T00:00:00Z",
      "not_after": "2026-12-10T23:59:59Z",
      "is_ca": false,
      "key_usage": ["DigitalSignature"],
      "ext_key_usage": ["ServerAuth", "ClientAuth"],
      "ocsp_urls": ["http://ocsp.apple.com/ev1"],
      "crl_urls": ["http://crl.apple.com/apevsecc1g1.crl"],
      "issuing_urls": ["http://certs.apple.com/apevsecc1g1.der"]
    }
  ],
  "common_name": "www.apple.com",
  "issued_to": "Apple Inc.",
  "issued_by": "Apple Inc.",
  "valid_from": "2025-11-12T00:00:00Z",
  "valid_to": "2026-12-10T23:59:59Z",
  "days_until_expiry": 247,
  "is_expired": false,
  "is_self_signed": false,
  "chain_valid": true,
  "matches_hostname": true,
  "san_count": 12,
  "tls_version": "TLS 1.3",
  "cipher_suite": "TLS_AES_256_GCM_SHA384",
  "cipher_strength": "strong",
  "supports_tls_1_3": true,
  "supports_tls_1_2": true,
  "supports_tls_1_1": false,
  "supports_tls_1_0": false,
  "security_score": 100,
  "security_issues": [],
  "inspected_at": "2026-04-07T10:00:00Z"
}

Security issues flagged

Code	Meaning
expired	Certificate is past its not_after date (or not yet valid).
expiring_soon	Fewer than 30 days remain.
self_signed	Single-cert chain where subject equals issuer.
hostname_mismatch	Leaf cert does not cover the requested host.
deprecated_tls	Server accepts TLS 1.0 or TLS 1.1.
weak_cipher	Negotiated cipher is in the insecure category (RC4, 3DES, non-FS RSA kx).
short_key	RSA key smaller than 2048 bits.
sha1_signature	Leaf cert is signed with SHA-1 or MD5.

Use cases

• Certificate expiry monitoring — run on a daily schedule and alert before production sites go down because a cert quietly expired.
• Security audits — scan your entire external footprint for weak TLS versions, short keys, and outdated signature algorithms.
• Compliance (PCI DSS, HIPAA, SOC 2) — produce auditable evidence that only modern TLS and strong ciphers are used.
• Pre-migration checks — validate that a new origin has a matching hostname and valid chain before flipping DNS or a CDN.
• Competitive intelligence — see which CAs competitors rely on (Let's Encrypt, DigiCert, Sectigo, GoDaddy, Google Trust Services, etc.).
• M&A due diligence — quickly audit a target company's TLS posture across all their public properties.

Pricing

Pay-per-event:

Event	Price
enrichment-start	$0.001 once per run
enrichment-result	$0.001 per domain

1,000 domains ≈ $1. No per-hour compute charges, no residential proxy costs — TLS handshakes are cheap and fast.

Related Actors

• Domain WHOIS & DNS — WHOIS, DNS records, SPF/DMARC/DKIM, email provider detection
• Website Tech Stack Detector — framework, CMS, analytics, and hosting fingerprinting
• SEO Metadata Extractor — titles, descriptions, OpenGraph, Twitter cards, structured data
• IP Geolocation — country, region, ASN, ISP, and threat-intel lookups