Domain & Port to audit
Quick:
Check Expiry & Dates
Returns notBefore / notAfter — should be >30 days out
Verify Certificate Chain
Full chain: leaf → intermediate → root CA
Subject & SANs
Verify domain name match and Subject Alternative Names
Protocol & Cipher Test
Confirm TLS 1.2+ and reject legacy protocols
OCSP Revocation Check
Verify certificate has not been revoked
Connectivity Troubleshooting
Basic checks when HTTPS connection fails
TLS 1.3 & HSTS Check
Confirm modern TLS and HTTP Strict Transport Security header
Certificate Transparency & crt.sh
Search public CT logs for all issued certs for this domain
⚠️ Common SSL Issues
- Expired cert — renew immediately
- Incomplete chain — missing intermediate
- Name mismatch — cert ≠ domain
- Self-signed — not trusted by browsers
- Weak TLS — old 1.0/1.1 or weak ciphers
- Revoked cert — check OCSP status
✅ Best Practices
- Use Let's Encrypt + certbot auto-renewal
- Monitor expiry 30 days before deadline
- Enable OCSP stapling in web server
- Enforce TLS 1.2+, disable 1.0/1.1
- Include all intermediate certs
- Keep backup certificates ready