SSL Certificate Checker

Pricing

Rating

Developer

Actor stats

Categories

Share

🔐 SSL certificate checker for public HTTPS endpoints

SSL Certificate Checker checks public SSL/TLS certificates for domains, full URLs, and host:port endpoints. Add targets such as apify.com, https://expired.badssl.com, or www.cloudflare.com:8443, and get one dataset row per endpoint where certificate, TLS, or HTTPS posture was observed.

Use it for expiry monitoring, security audits, SEO checks, client website reviews, and portfolio health reports. The Actor returns certificate validity, expiry, trust status, hostname match, issuer, subject, serial number, SHA-256 fingerprint, SANs, certificate chain, TLS protocol, cipher, HSTS, HTTPS redirect status, and issue reasons. It does not need cookies, login, source accounts, or a certificate-monitoring API key from you.

For a quick first run, keep the prefilled examples. They include common public HTTPS endpoints plus a non-443 endpoint format so you can inspect a useful dataset right away.

✅ What this SSL certificate checker does

• Checks public HTTPS endpoints in bulk.
• Accepts bare domains, full HTTPS URLs, and explicit host:port values in one input list.
• Normalizes each target to a host and port before checking it.
• Flags certificates that are valid, expired, expiring soon, untrusted, self-signed, hostname-mismatched, or using weak TLS evidence when observed.
• Extracts issuer, subject, validity dates, serial number, SHA-256 fingerprint, SANs, and certificate-chain evidence when the endpoint serves it.
• Records negotiated TLS protocol and cipher data.
• Checks HTTP-to-HTTPS redirect posture and HSTS headers when available.
• Saves one dataset row only when an endpoint produces usable certificate, TLS, or HTTPS posture data.

The Actor is focused on practical SSL certificate monitoring. It does not run a full SSL Labs-style vulnerability scan, enumerate every supported cipher suite, guarantee OCSP or CRL checks, scan private networks, or keep a long-running alerting daemon outside normal Apify schedules, webhooks, and integrations.

📊 Data you get

Each dataset row represents one observed public endpoint result. Rows can include:

You can export the dataset as JSON, CSV, Excel, XML, RSS, or HTML, or use the same results through the Apify API, schedules, webhooks, and integrations.

🚀 How to run it

1. Open the Actor input.
2. Add public HTTPS endpoints in Public HTTPS endpoints.
3. Keep Renewal warning threshold at 30 days, or set your own renewal window.
4. Start the Actor.
5. Open the dataset and filter by isValid, isExpiringSoon, daysUntilExpiry, isTrusted, hostnameMatches, or issues.

Use domains when you only need the default HTTPS port. Use full URLs when your source list already contains URLs. Use host:port when you need to check a non-443 HTTPS service.

🧾 Input example

{
"targets":[
"apify.com",
"google.com",
"github.com",
"www.cloudflare.com:8443"
],
"warningThresholdDays":30
}

Public HTTPS endpoints is the only required input. The renewal warning threshold controls when isExpiringSoon becomes true; it does not change the certificate itself.

📤 Output example

{
"target":"https://api.example.com:8443/health",
"host":"api.example.com",
"port":8443,
"isValid":true,
"isExpiringSoon":false,
"daysUntilExpiry":74,
"validFrom":"2025-08-03T00:00:00.000Z",
"validTo":"2026-08-31T23:59:59.000Z",
"hostnameMatches":true,
"isTrusted":true,
"tlsProtocol":"TLSv1.3",
"cipher":"TLS_AES_128_GCM_SHA256",
"issuer":{
"commonName":"Amazon RSA 2048 M02",
"organization":"Amazon",
"country":"US"
},
"subject":{
"commonName":"*.example.com",
"organization":null,
"country":null
},
"serialNumber":"0A1B2C3D4E5F67890123456789ABCDEF",
"fingerprintSha256":"12:34:56:78:90:AB:CD:EF:12:34:56:78:90:AB:CD:EF:12:34:56:78:90:AB:CD:EF:12:34:56:78:90:AB:CD:EF",
"subjectAlternativeNames":["*.example.com","example.com"],
"certificateChain":[
{
"subjectCommonName":"Amazon RSA 2048 M02",
"issuerCommonName":"Amazon Root CA 1",
"validFrom":"2022-08-23T22:21:28.000Z",
"validTo":"2030-08-23T22:21:28.000Z",
"fingerprintSha256":"AB:CD:EF:12:34:56:78:90:AB:CD:EF:12:34:56:78:90:AB:CD:EF:12:34:56:78:90:AB:CD:EF:12:34:56:78:90"
}
],
"httpRedirectsToHttps":true,
"hsts":{
"enabled":true,
"maxAgeSeconds":31536000,
"includeSubdomains":true,
"preload":false
},
"issues":[]
}

When an endpoint serves an expired, self-signed, untrusted, or hostname-mismatched certificate, the Actor still saves a row because that is useful observed certificate data. DNS failures, timeouts, unreachable hosts, unsupported private/internal targets, and missing TLS handshakes are logged and skipped instead of being saved as partial dataset rows.

💳 Pricing

This Actor uses pay-per-event pricing. You are charged for each checked endpoint result that is saved to the dataset. The local pricing artifact is set to $0.00005 per checked endpoint, or $0.05 per 1,000 observed endpoint results.

Runs with targets that cannot produce usable certificate, TLS, or HTTPS posture data do not save a result row for those targets.

💡 Common use cases

• Monitor certificate expiry across client, product, staging, and non-443 HTTPS services.
• Find expired, self-signed, untrusted, or hostname-mismatched certificates before they break user journeys.
• Export certificate evidence for audits, renewals, vendor reviews, SEO checks, or compliance tickets.
• Check HSTS and HTTP-to-HTTPS redirect posture next to certificate health.
• Schedule recurring runs in Apify and send results to webhooks, Google Sheets, BI tools, or your own API workflow.

⚠️ Limits and caveats

The Actor checks public internet endpoints. It is not designed for private intranet scanning or endpoints that require your own internal network access.

isValid is based on observed certificate trust, hostname match, and expiry. A valid certificate does not mean the whole website is secure. This Actor does not replace a full vulnerability scanner, penetration test, SSL Labs report, or certificate authority audit.

HSTS and redirect fields can be null when the posture check cannot be observed for that endpoint. Certificate-chain detail depends on what the server sends during the TLS handshake.

❓ FAQ

Can I check non-443 HTTPS ports?

Yes. Use host:port, such as www.cloudflare.com:8443, or a full HTTPS URL with a port.

Does the Actor check URLs or only domains?

It accepts both. Full URLs are normalized to the HTTPS host and port for the certificate check. The original target is kept in the output so you can join results back to your input list.

Are bad certificates saved as rows?

Yes, when the endpoint serves certificate or TLS data. Expired, self-signed, untrusted, and hostname-mismatched certificates are useful observed results and are saved with issues.

Do I need cookies, login, or an API key?

No. The Actor checks public SSL/TLS endpoints and does not ask for source credentials.

📝 Changelog

• 0.1: Initial release.

🆘 Support

For issues, questions, or feature requests, file a ticket and I'll fix or implement it in less than 24h 🫡

🔗 Other actors

• Email MX Verifier ↗ - Check email syntax, MX records, disposable domains, and delivery risk.
• Sitemap Sniffer ↗ - Find sitemap files, sitemap indexes, and URL inventory data for SEO audits.
• Website URL Crawler ↗ - Crawl public websites and export discovered links with source-page context.
• Webpage Text Extractor ↗ - Extract clean text, article text, or Markdown from public web pages.
• Font Detector ↗ - Detect Google Fonts, Adobe Fonts, custom fonts, and CSS font evidence on public pages.

Made with ❤️ by Maxime Dupré