VOOZH about

URL: https://apify.com/santamaria-automations/ssl-certificate-inspector

โ‡ฑ SSL Certificate Inspector - TLS Audit & Expiry Monitor ยท Apify

๐Ÿ‘ SSL Certificate Inspector - TLS Audit & Expiry Monitor avatar

SSL Certificate Inspector - TLS Audit & Expiry Monitor

Pricing

from $1.00 / 1,000 certificate inspecteds

Go to Apify Store

SSL Certificate Inspector - TLS Audit & Expiry Monitor

Inspect SSL/TLS certificates for any domain: chain validation, expiry dates, cipher suites, TLS versions, subject alt names, issuer details, and security scoring. Export data, run via API, schedule and monitor runs, or integrate with other tools.

Pricing

from $1.00 / 1,000 certificate inspecteds

Rating

0.0

(0)

Developer

๐Ÿ‘ Ale

Ale

Maintained by Community

Actor stats

0

Bookmarked

2

Total users

1

Monthly active users

2 months ago

Last modified

Share

Monitor SSL certificates at scale โ€” expiry tracking, cipher auditing, chain validation.

Inspect SSL/TLS certificates for any domain and get the full picture: certificate chain, expiry dates, cipher suites, supported TLS versions, subject alt names, issuer details, and a 0-100 security score. Fast enough to audit thousands of hosts in minutes.

Features

  • Full certificate chain โ€” leaf + every intermediate cert with subject, issuer, SANs, serial, signature algorithm, key algorithm, key size, OCSP/CRL/issuing URLs
  • Chain validation โ€” validates against trusted system root certificates
  • Expiry tracking โ€” days_until_expiry, is_expired, valid_from, valid_to
  • TLS version detection โ€” probes TLS 1.0, 1.1, 1.2, 1.3 independently and flags deprecated versions
  • Cipher suite audit โ€” negotiated cipher name and strength classification (strong / medium / weak)
  • Hostname verification โ€” confirms the leaf cert matches the requested host
  • Self-signed detection โ€” flags one-off certificates that won't pass real validators
  • Security scoring โ€” weighted 0-100 score plus a list of machine-readable issues (expired, expiring_soon, weak_cipher, deprecated_tls, self_signed, hostname_mismatch, short_key, sha1_signature)
  • Flexible targets โ€” accepts bare domains, host:port, or full URLs
  • Custom ports โ€” works for HTTPS (443), SMTPS (465), IMAPS (993), POP3S (995), or any custom TLS port

Use with AI Agents (MCP)

Connect this actor to any MCP-compatible AI client โ€” Claude Desktop, Claude.ai, Cursor, VS Code, LangChain, LlamaIndex, or custom agents.

Apify MCP server URL:

https://mcp.apify.com?tools=santamaria-automations/ssl-certificate-inspector

Example prompt once connected:

"Use ssl-certificate-inspector to process data with ssl certificate inspector. Return results as a table."

Clients that support dynamic tool discovery (Claude.ai, VS Code) will receive the full input schema automatically via add-actor.

Input

{
"domains":["apple.com","google.com","github.com"],
"port":443,
"timeoutSeconds":15,
"checkCipherSuites":false,
"verifyHostname":true
}
FieldTypeDefaultDescription
domainsstring[]โ€”Domains to inspect. Accepts example.com, example.com:8443, or https://example.com/path.
portinteger443Default TLS port when not specified per-domain.
timeoutSecondsinteger15Per-connection handshake timeout.
checkCipherSuitesbooleanfalseEnumerate supported cipher suites (slower).
verifyHostnamebooleantrueWhether the leaf cert must match the requested hostname.

Output

One record per domain. Example (trimmed) for apple.com:

{
"domain":"apple.com",
"port":443,
"success":true,
"certificate_count":3,
"certificates":[
{
"subject":"CN=www.apple.com,O=Apple Inc.,L=Cupertino,ST=California,C=US",
"subject_cn":"www.apple.com",
"subject_alt_names":["www.apple.com","apple.com","store.apple.com"],
"issuer":"CN=Apple Public EV Server ECC CA 1 - G1,O=Apple Inc.,C=US",
"issuer_cn":"Apple Public EV Server ECC CA 1 - G1",
"serial_number":"18446744073709551615",
"signature_algorithm":"ECDSA-SHA384",
"public_key_algorithm":"ECDSA",
"public_key_bits":256,
"not_before":"2025-11-12T00:00:00Z",
"not_after":"2026-12-10T23:59:59Z",
"is_ca":false,
"key_usage":["DigitalSignature"],
"ext_key_usage":["ServerAuth","ClientAuth"],
"ocsp_urls":["http://ocsp.apple.com/ev1"],
"crl_urls":["http://crl.apple.com/apevsecc1g1.crl"],
"issuing_urls":["http://certs.apple.com/apevsecc1g1.der"]
}
],
"common_name":"www.apple.com",
"issued_to":"Apple Inc.",
"issued_by":"Apple Inc.",
"valid_from":"2025-11-12T00:00:00Z",
"valid_to":"2026-12-10T23:59:59Z",
"days_until_expiry":247,
"is_expired":false,
"is_self_signed":false,
"chain_valid":true,
"matches_hostname":true,
"san_count":12,
"tls_version":"TLS 1.3",
"cipher_suite":"TLS_AES_256_GCM_SHA384",
"cipher_strength":"strong",
"supports_tls_1_3":true,
"supports_tls_1_2":true,
"supports_tls_1_1":false,
"supports_tls_1_0":false,
"security_score":100,
"security_issues":[],
"inspected_at":"2026-04-07T10:00:00Z"
}

Security issues flagged

CodeMeaning
expiredCertificate is past its not_after date (or not yet valid).
expiring_soonFewer than 30 days remain.
self_signedSingle-cert chain where subject equals issuer.
hostname_mismatchLeaf cert does not cover the requested host.
deprecated_tlsServer accepts TLS 1.0 or TLS 1.1.
weak_cipherNegotiated cipher is in the insecure category (RC4, 3DES, non-FS RSA kx).
short_keyRSA key smaller than 2048 bits.
sha1_signatureLeaf cert is signed with SHA-1 or MD5.

Use cases

  • Certificate expiry monitoring โ€” run on a daily schedule and alert before production sites go down because a cert quietly expired.
  • Security audits โ€” scan your entire external footprint for weak TLS versions, short keys, and outdated signature algorithms.
  • Compliance (PCI DSS, HIPAA, SOC 2) โ€” produce auditable evidence that only modern TLS and strong ciphers are used.
  • Pre-migration checks โ€” validate that a new origin has a matching hostname and valid chain before flipping DNS or a CDN.
  • Competitive intelligence โ€” see which CAs competitors rely on (Let's Encrypt, DigiCert, Sectigo, GoDaddy, Google Trust Services, etc.).
  • M&A due diligence โ€” quickly audit a target company's TLS posture across all their public properties.

Pricing

Pay-per-event:

EventPrice
enrichment-start$0.001 once per run
enrichment-result$0.001 per domain

1,000 domains โ‰ˆ $1. No per-hour compute charges, no residential proxy costs โ€” TLS handshakes are cheap and fast.

Related Actors

You might also like

SSL Certificate Checker

automation-lab/ssl-certificate-checker

SSL Certificate Checker connects to domains over TLS and inspects their SSL certificates. It returns structured data about certificate validity, expiry, issuer chain, TLS protocol version, cipher suite, and a security grade from A+ to F.

๐Ÿ‘ User avatar

Stas Persiianenko

15

SSL Certificate Monitor โ€” Bulk Expiry & Chain Checker

accurate_pouch/ssl-monitor

Monitor SSL/TLS certificates in bulk. Expiry dates, issuer, protocol version, key size, certificate chain, SAN list. Webhook alerts for expiring certs. 5 domains free.

๐Ÿ‘ User avatar

Manchitt Sanan

2

SSL Certificate Expiry Monitor

andok/ssl-certificate-monitor

Monitor SSL/TLS certificate validity and expiration dates across thousands of domains to prevent costly outages.

๐Ÿ”’ SSL Certificate Checker โ€” Bulk Expiry Monitor

nexgendata/ssl-certificate-checker

Bulk SSL certificate monitoring โ€” expiry dates, issuers, chain validation and TLS config across all your domains. Qualys SSL Labs, Nagios & Datadog alternative for agencies and SecOps teams. Alerts before certs expire. Pay per check.

Domain WHOIS & SSL Inspector

seemuapps/domain-whois-ssl-inspector

Look up registration, age, expiry, registrar, and name servers for any domain via RDAP, plus live SSL certificate details issuer, validity, and days until expiry one row per domain.

SSL/TLS Certificate Scraper

taroyamada/ssl-certificate-monitor

Scan thousands of websites for expiring TLS certs, extract fingerprint hashes, and run Google Web Risk malware checks without rendering a browser.