SSL/TLS Certificate Checker

TLS configuration drift is one of the easiest ways for a site to fall out of compliance without anyone noticing. The certificate renews, the server config stays untouched for two years, and meanwhile new CVEs land, browsers deprecate TLS 1.0 and 1.1, and your cipher list still contains RC4. Our checker runs the same testssl.sh probe the security community uses to audit every aspect of your TLS deployment.

We check the certificate basics first — is it valid for the domain, who issued it, when does it expire, is the chain complete. Then the configuration: which TLS protocol versions are accepted, which cipher suites are offered, whether forward secrecy is enabled (the difference between a single key compromise leaking all past sessions vs. just one), whether OCSP stapling is configured (faster connection setup + privacy), and whether the server is vulnerable to known attacks like Heartbleed (CVE-2014-0160 — still found on legacy hosts), ROBOT (RSA padding oracle), BEAST (TLS 1.0 CBC issue) and POODLE (SSLv3 padding oracle).

Quick fixes that move the needle: disable TLS 1.0 and TLS 1.1 entirely (most browsers refuse them already), prefer TLS 1.3 if your server supports it, restrict cipher suites to a Mozilla 'intermediate' or 'modern' profile (Mozilla publishes config generators for nginx, Apache, HAProxy and others), enable OCSP stapling, and disable TLS compression (BREACH/CRIME mitigation). If you're on Cloudflare, Vercel, or another managed edge, most of this is handled — but verify, don't assume.

Cert expiry is the boring one that takes everyone down. Set up monitoring that alerts you 30 days out (not 1 day). SteelSuit's full continuous monitoring schedules this for you and pings webhook/email/Slack when anything changes between scans — including expiry drift and unexpected cipher reconfigs.