ccnames.dev

cnames.dev / tools / ssl checker

SSL Checker

Inspect a domain's certificates from Certificate Transparency logs: issuer, validity, SANs, and wildcard detection.

What this checks

Every certificate issued by a publicly-trusted CA is recorded in Certificate Transparencylogs. This tool queries those logs to show which certificates exist for a domain — who issued them, when they're valid, and which hostnames (SANs) they cover — without needing a live TLS handshake. It's a fast way to answer "does this domain have a valid cert, from whom, and when does it expire?"

Reading the results

Certificates for custom domains at scale

If you run a multi-tenant SaaS, you're issuing a certificate for every customer domain and renewing it before expiry — Let's Encrypt certs last 90 days. Doing that reliably across thousands of domains (HTTP-01 for single domains, DNS-01 for wildcards, without hitting CA rate limits) is real work. cnames.dev automates issuance and renewal so certs never lapse.

Building a SaaS that needs custom domains? cnames.dev automates DNS, SSL, and edge routing — one API call per domain, free for 25 domains. Start free or read the docs.

Frequently asked questions

Where does this data come from?

From public Certificate Transparency (CT) logs via crt.sh. Every certificate a public CA issues is logged to CT, so this shows the certificates that exist for a domain — issuer, validity window, and the names (SANs) they cover.

Does it show the exact cert currently served?

It shows recently issued certificates from CT logs, which usually includes the live one. It does not perform a live TLS handshake, so a very recently issued or privately-issued cert may not appear.

How do I read the expiry?

Each entry shows its validity window and days remaining. Let's Encrypt certificates are valid 90 days and should auto-renew well before expiry; a cert about to expire without a newer one is a red flag.

What does the wildcard flag mean?

It means the certificate covers *.domain — a single cert for all subdomains under a zone, typically issued via the DNS-01 challenge.