# SSL Certificate Inspector - TLS Audit & Expiry Monitor (`santamaria-automations/ssl-certificate-inspector`) Actor Inspect SSL/TLS certificates for any domain: chain validation, expiry dates, cipher suites, TLS versions, subject alt names, issuer details, and security scoring. Export data, run via API, schedule and monitor runs, or integrate with other tools. - **URL**: https://apify.com/santamaria-automations/ssl-certificate-inspector.md - **Developed by:** [Alessandro Santamaria](https://apify.com/santamaria-automations) (community) - **Categories:** Developer tools, Lead generation, Automation - **Stats:** 2 total users, 1 monthly users, 100.0% runs succeeded, NaN bookmarks - **User rating**: No ratings yet ## Pricing from $1.00 / 1,000 certificate inspecteds This Actor is paid per event. You are not charged for the Apify platform usage, but only a fixed price for specific events. Learn more: https://docs.apify.com/platform/actors/running/actors-in-store#pay-per-event ## What's an Apify Actor? Actors are a software tools running on the Apify platform, for all kinds of web data extraction and automation use cases. In Batch mode, an Actor accepts a well-defined JSON input, performs an action which can take anything from a few seconds to a few hours, and optionally produces a well-defined JSON output, datasets with results, or files in key-value store. In Standby mode, an Actor provides a web server which can be used as a website, API, or an MCP server. Actors are written with capital "A". ## How to integrate an Actor? If asked about integration, you help developers integrate Actors into their projects. You adapt to their stack and deliver integrations that are safe, well-documented, and production-ready. The best way to integrate Actors is as follows. In JavaScript/TypeScript projects, use official [JavaScript/TypeScript client](https://docs.apify.com/api/client/js.md): ```bash npm install apify-client ``` In Python projects, use official [Python client library](https://docs.apify.com/api/client/python.md): ```bash pip install apify-client ``` In shell scripts, use [Apify CLI](https://docs.apify.com/cli/docs.md): ````bash # MacOS / Linux curl -fsSL https://apify.com/install-cli.sh | bash # Windows irm https://apify.com/install-cli.ps1 | iex ```bash In AI frameworks, you might use the [Apify MCP server](https://docs.apify.com/platform/integrations/mcp.md). If your project is in a different language, use the [REST API](https://docs.apify.com/api/v2.md). For usage examples, see the [API](#api) section below. For more details, see Apify documentation as [Markdown index](https://docs.apify.com/llms.txt) and [Markdown full-text](https://docs.apify.com/llms-full.txt). # README ## SSL Certificate Inspector - TLS Audit & Expiry Monitor **Monitor SSL certificates at scale — expiry tracking, cipher auditing, chain validation.** Inspect SSL/TLS certificates for any domain and get the full picture: certificate chain, expiry dates, cipher suites, supported TLS versions, subject alt names, issuer details, and a 0-100 security score. Fast enough to audit thousands of hosts in minutes. ### Features - **Full certificate chain** — leaf + every intermediate cert with subject, issuer, SANs, serial, signature algorithm, key algorithm, key size, OCSP/CRL/issuing URLs - **Chain validation** — validates against trusted system root certificates - **Expiry tracking** — `days_until_expiry`, `is_expired`, `valid_from`, `valid_to` - **TLS version detection** — probes TLS 1.0, 1.1, 1.2, 1.3 independently and flags deprecated versions - **Cipher suite audit** — negotiated cipher name and strength classification (strong / medium / weak) - **Hostname verification** — confirms the leaf cert matches the requested host - **Self-signed detection** — flags one-off certificates that won't pass real validators - **Security scoring** — weighted 0-100 score plus a list of machine-readable issues (`expired`, `expiring_soon`, `weak_cipher`, `deprecated_tls`, `self_signed`, `hostname_mismatch`, `short_key`, `sha1_signature`) - **Flexible targets** — accepts bare domains, host:port, or full URLs - **Custom ports** — works for HTTPS (443), SMTPS (465), IMAPS (993), POP3S (995), or any custom TLS port ### Use with AI Agents (MCP) Connect this actor to any MCP-compatible AI client — Claude Desktop, Claude.ai, Cursor, VS Code, LangChain, LlamaIndex, or custom agents. **Apify MCP server URL:** ```` https://mcp.apify.com?tools=santamaria-automations/ssl-certificate-inspector ```` **Example prompt once connected:** > "Use `ssl-certificate-inspector` to process data with ssl certificate inspector. Return results as a table." Clients that support dynamic tool discovery (Claude.ai, VS Code) will receive the full input schema automatically via `add-actor`. ### Input ```json { "domains": ["apple.com", "google.com", "github.com"], "port": 443, "timeoutSeconds": 15, "checkCipherSuites": false, "verifyHostname": true } ```` | Field | Type | Default | Description | | --- | --- | --- | --- | | `domains` | string\[] | — | Domains to inspect. Accepts `example.com`, `example.com:8443`, or `https://example.com/path`. | | `port` | integer | `443` | Default TLS port when not specified per-domain. | | `timeoutSeconds` | integer | `15` | Per-connection handshake timeout. | | `checkCipherSuites` | boolean | `false` | Enumerate supported cipher suites (slower). | | `verifyHostname` | boolean | `true` | Whether the leaf cert must match the requested hostname. | ### Output One record per domain. Example (trimmed) for `apple.com`: ```json { "domain": "apple.com", "port": 443, "success": true, "certificate_count": 3, "certificates": [ { "subject": "CN=www.apple.com,O=Apple Inc.,L=Cupertino,ST=California,C=US", "subject_cn": "www.apple.com", "subject_alt_names": ["www.apple.com", "apple.com", "store.apple.com"], "issuer": "CN=Apple Public EV Server ECC CA 1 - G1,O=Apple Inc.,C=US", "issuer_cn": "Apple Public EV Server ECC CA 1 - G1", "serial_number": "18446744073709551615", "signature_algorithm": "ECDSA-SHA384", "public_key_algorithm": "ECDSA", "public_key_bits": 256, "not_before": "2025-11-12T00:00:00Z", "not_after": "2026-12-10T23:59:59Z", "is_ca": false, "key_usage": ["DigitalSignature"], "ext_key_usage": ["ServerAuth", "ClientAuth"], "ocsp_urls": ["http://ocsp.apple.com/ev1"], "crl_urls": ["http://crl.apple.com/apevsecc1g1.crl"], "issuing_urls": ["http://certs.apple.com/apevsecc1g1.der"] } ], "common_name": "www.apple.com", "issued_to": "Apple Inc.", "issued_by": "Apple Inc.", "valid_from": "2025-11-12T00:00:00Z", "valid_to": "2026-12-10T23:59:59Z", "days_until_expiry": 247, "is_expired": false, "is_self_signed": false, "chain_valid": true, "matches_hostname": true, "san_count": 12, "tls_version": "TLS 1.3", "cipher_suite": "TLS_AES_256_GCM_SHA384", "cipher_strength": "strong", "supports_tls_1_3": true, "supports_tls_1_2": true, "supports_tls_1_1": false, "supports_tls_1_0": false, "security_score": 100, "security_issues": [], "inspected_at": "2026-04-07T10:00:00Z" } ``` #### Security issues flagged | Code | Meaning | | --- | --- | | `expired` | Certificate is past its `not_after` date (or not yet valid). | | `expiring_soon` | Fewer than 30 days remain. | | `self_signed` | Single-cert chain where subject equals issuer. | | `hostname_mismatch` | Leaf cert does not cover the requested host. | | `deprecated_tls` | Server accepts TLS 1.0 or TLS 1.1. | | `weak_cipher` | Negotiated cipher is in the insecure category (RC4, 3DES, non-FS RSA kx). | | `short_key` | RSA key smaller than 2048 bits. | | `sha1_signature` | Leaf cert is signed with SHA-1 or MD5. | ### Use cases - **Certificate expiry monitoring** — run on a daily schedule and alert before production sites go down because a cert quietly expired. - **Security audits** — scan your entire external footprint for weak TLS versions, short keys, and outdated signature algorithms. - **Compliance (PCI DSS, HIPAA, SOC 2)** — produce auditable evidence that only modern TLS and strong ciphers are used. - **Pre-migration checks** — validate that a new origin has a matching hostname and valid chain before flipping DNS or a CDN. - **Competitive intelligence** — see which CAs competitors rely on (Let's Encrypt, DigiCert, Sectigo, GoDaddy, Google Trust Services, etc.). - **M\&A due diligence** — quickly audit a target company's TLS posture across all their public properties. ### Pricing Pay-per-event: | Event | Price | | --- | --- | | `enrichment-start` | $0.001 once per run | | `enrichment-result` | $0.001 per domain | **1,000 domains ≈ $1.** No per-hour compute charges, no residential proxy costs — TLS handshakes are cheap and fast. ### Related Actors - [Domain WHOIS & DNS](https://apify.com/santamaria-automations/domain-whois-dns) — WHOIS, DNS records, SPF/DMARC/DKIM, email provider detection - [Website Tech Stack Detector](https://apify.com/santamaria-automations/website-tech-detector) — framework, CMS, analytics, and hosting fingerprinting - [SEO Metadata Extractor](https://apify.com/santamaria-automations/seo-metadata-extractor) — titles, descriptions, OpenGraph, Twitter cards, structured data - [IP Geolocation](https://apify.com/santamaria-automations/ip-geolocation) — country, region, ASN, ISP, and threat-intel lookups # Actor input Schema ## `domains` (type: `array`): List of domains to inspect. Accepts bare domains (example.com), host:port (example.com:8443), or URLs (https://example.com/path). Everything is normalized automatically. ## `port` (type: `integer`): Default port to connect to when a domain does not include one. 443 for HTTPS, 465 for SMTPS, 993 for IMAPS, 995 for POP3S. ## `timeoutSeconds` (type: `integer`): Per-connection timeout for TLS handshakes. ## `checkCipherSuites` (type: `boolean`): Probe which cipher suites the server accepts. Slower — only enable when auditing cipher posture. ## `verifyHostname` (type: `boolean`): Whether the leaf certificate must match the requested hostname. Disable to inspect certs on hosts served under a different name (e.g. IPs or CDNs). ## Actor input object example ```json { "domains": [ "apple.com", "google.com", "github.com" ], "port": 443, "timeoutSeconds": 15, "checkCipherSuites": false, "verifyHostname": true } ``` # Actor output Schema ## `domains` (type: `string`): Dataset containing certificate chain, TLS details, and security scoring per domain # API You can run this Actor programmatically using our API. Below are code examples in JavaScript, Python, and CLI, as well as the OpenAPI specification and MCP server setup. ## JavaScript example ```javascript import { ApifyClient } from 'apify-client'; // Initialize the ApifyClient with your Apify API token // Replace the '' with your token const client = new ApifyClient({ token: '', }); // Prepare Actor input const input = { "domains": [ "apple.com", "google.com", "github.com" ] }; // Run the Actor and wait for it to finish const run = await client.actor("santamaria-automations/ssl-certificate-inspector").call(input); // Fetch and print Actor results from the run's dataset (if any) console.log('Results from dataset'); console.log(`💾 Check your data here: https://console.apify.com/storage/datasets/${run.defaultDatasetId}`); const { items } = await client.dataset(run.defaultDatasetId).listItems(); items.forEach((item) => { console.dir(item); }); // 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/js/docs ``` ## Python example ```python from apify_client import ApifyClient # Initialize the ApifyClient with your Apify API token # Replace '' with your token. client = ApifyClient("") # Prepare the Actor input run_input = { "domains": [ "apple.com", "google.com", "github.com", ] } # Run the Actor and wait for it to finish run = client.actor("santamaria-automations/ssl-certificate-inspector").call(run_input=run_input) # Fetch and print Actor results from the run's dataset (if there are any) print("💾 Check your data here: https://console.apify.com/storage/datasets/" + run["defaultDatasetId"]) for item in client.dataset(run["defaultDatasetId"]).iterate_items(): print(item) # 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/python/docs/quick-start ``` ## CLI example ```bash echo '{ "domains": [ "apple.com", "google.com", "github.com" ] }' | apify call santamaria-automations/ssl-certificate-inspector --silent --output-dataset ``` ## MCP server setup ```json { "mcpServers": { "apify": { "command": "npx", "args": [ "mcp-remote", "https://mcp.apify.com/?tools=santamaria-automations/ssl-certificate-inspector", "--header", "Authorization: Bearer " ] } } } ``` ## OpenAPI specification ```json { "openapi": "3.0.1", "info": { "title": "SSL Certificate Inspector - TLS Audit & Expiry Monitor", "description": "Inspect SSL/TLS certificates for any domain: chain validation, expiry dates, cipher suites, TLS versions, subject alt names, issuer details, and security scoring. Export data, run via API, schedule and monitor runs, or integrate with other tools.", "version": "1.0", "x-build-id": "3dZDVkmFNoMB6sUb5" }, "servers": [ { "url": "https://api.apify.com/v2" } ], "paths": { "/acts/santamaria-automations~ssl-certificate-inspector/run-sync-get-dataset-items": { "post": { "operationId": "run-sync-get-dataset-items-santamaria-automations-ssl-certificate-inspector", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for its completion, and returns Actor's dataset items in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } }, "/acts/santamaria-automations~ssl-certificate-inspector/runs": { "post": { "operationId": "runs-sync-santamaria-automations-ssl-certificate-inspector", "x-openai-isConsequential": false, "summary": "Executes an Actor and returns information about the initiated run in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/runsResponseSchema" } } } } } } }, "/acts/santamaria-automations~ssl-certificate-inspector/run-sync": { "post": { "operationId": "run-sync-santamaria-automations-ssl-certificate-inspector", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for completion, and returns the OUTPUT from Key-value store in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } } }, "components": { "schemas": { "inputSchema": { "type": "object", "required": [ "domains" ], "properties": { "domains": { "title": "Domains", "type": "array", "description": "List of domains to inspect. Accepts bare domains (example.com), host:port (example.com:8443), or URLs (https://example.com/path). Everything is normalized automatically.", "items": { "type": "string" } }, "port": { "title": "Default TLS port", "minimum": 1, "maximum": 65535, "type": "integer", "description": "Default port to connect to when a domain does not include one. 443 for HTTPS, 465 for SMTPS, 993 for IMAPS, 995 for POP3S.", "default": 443 }, "timeoutSeconds": { "title": "Timeout (seconds)", "minimum": 1, "maximum": 120, "type": "integer", "description": "Per-connection timeout for TLS handshakes.", "default": 15 }, "checkCipherSuites": { "title": "Enumerate cipher suites", "type": "boolean", "description": "Probe which cipher suites the server accepts. Slower — only enable when auditing cipher posture.", "default": false }, "verifyHostname": { "title": "Verify hostname", "type": "boolean", "description": "Whether the leaf certificate must match the requested hostname. Disable to inspect certs on hosts served under a different name (e.g. IPs or CDNs).", "default": true } } }, "runsResponseSchema": { "type": "object", "properties": { "data": { "type": "object", "properties": { "id": { "type": "string" }, "actId": { "type": "string" }, "userId": { "type": "string" }, "startedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "finishedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "status": { "type": "string", "example": "READY" }, "meta": { "type": "object", "properties": { "origin": { "type": "string", "example": "API" }, "userAgent": { "type": "string" } } }, "stats": { "type": "object", "properties": { "inputBodyLen": { "type": "integer", "example": 2000 }, "rebootCount": { "type": "integer", "example": 0 }, "restartCount": { "type": "integer", "example": 0 }, "resurrectCount": { "type": "integer", "example": 0 }, "computeUnits": { "type": "integer", "example": 0 } } }, "options": { "type": "object", "properties": { "build": { "type": "string", "example": "latest" }, "timeoutSecs": { "type": "integer", "example": 300 }, "memoryMbytes": { "type": "integer", "example": 1024 }, "diskMbytes": { "type": "integer", "example": 2048 } } }, "buildId": { "type": "string" }, "defaultKeyValueStoreId": { "type": "string" }, "defaultDatasetId": { "type": "string" }, "defaultRequestQueueId": { "type": "string" }, "buildNumber": { "type": "string", "example": "1.0.0" }, "containerUrl": { "type": "string" }, "usage": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "integer", "example": 1 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } }, "usageTotalUsd": { "type": "number", "example": 0.00005 }, "usageUsd": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "number", "example": 0.00005 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } } } } } } } } } ```