Forensics & Analysis · 1 min read

SSL/TLS Certificate Inspection and Verification

TLS certificates establish trust between browsers and servers. A certificate tells you who the site claims to be, who vouched for that claim, and how long the vouching is valid. Inspecting certificates reveals expired certs, weak keys, missing SANs, and self-signed certificates that browsers should reject.

Try it now

Certificate Decoder

Runs in your browser, nothing leaves your device.

Subject and Subject Alternative Names (SANs) show which domains the cert covers. Issuer shows the Certificate Authority. Validity dates tell you if it's expired or expiring soon. Key algorithm and size matter: RSA below 2048 bits is weak, and SHA-1 signatures are deprecated. Check the full chain from leaf to root CA.

Self-signed certificates on public-facing sites (legitimate for dev, suspicious in production). Certificates issued by unknown CAs. Wildcard certs (*.example.com) covering too broad a scope. Very short validity periods from free CAs can indicate a recently created phishing site. Mismatched SANs where the certificate doesn't cover the domain you're visiting.

Suspicious certificate

Input
Subject: CN=paypa1.com Issuer: Let's Encrypt Valid: 2024-03-10 to 2024-06-08
Result
Typosquatting domain (paypa1 with numeral 1). Short-lived free cert. Likely phishing.

Security context

Let's Encrypt made HTTPS free and universal, which is great for the web but also means phishing sites get valid certificates trivially. HTTPS does not mean safe. Always check what domain the certificate actually covers.

No. HTTPS means the connection is encrypted, not that the site is trustworthy. Phishing sites routinely use valid HTTPS certificates from free providers like Let's Encrypt. HTTPS protects the transport layer but says nothing about the site's intent.

Related techniques

Comparing (/4):

Tool Comparison

Feature
Type
Pricing
Platforms
Description