SSL certificate inspector. Live from CT logs.
Type a domain. We query Certificate Transparency logs via crt.sh and surface the most-recent issued certificate: issuer, subject, SAN list, not-before / not-after dates, and days remaining. No agent install, no domain handshake from your IP.
Type a hostname. We query crt.sh for every cert in the public Certificate Transparency logs that matches, then render the most-recent: issuer, subject, full SAN list, not-before / not-after dates, days remaining. No TLS handshake from your IP, no agent install — just public log data.
Apex or sub-domain. Wildcards in CT logs are matched automatically.
// no query yet
Sources used
- crt.sh — Sectigo's public CT log aggregator (JSON output supported)
- RFC 6962 — Certificate Transparency standard
- certificate.transparency.dev — Google's CT documentation hub
No data is sent to Digital Heroes servers. Query goes from your browser to crt.sh.
Privacy: queries go to crt.sh only; Digital Heroes doesn't log.
Six fields. Five practical signals.
Subject CN is the canonical hostname the cert was issued for. Modern certs increasingly omit a meaningful CN and rely entirely on the SAN list, but the CN is still rendered for legacy reasons. If the CN is set to "Let's Encrypt Authority X3" or similar, the cert is using SAN-only addressing — which is normal.
Issuer is the Certificate Authority that signed the cert. Let's Encrypt dominates the free tier (~60% of public-web certs as of 2026). Cloudflare auto-issues for proxied domains. DigiCert and Sectigo dominate paid OV/EV (finance, health, government). The issuer alone tells you a lot about the underlying infrastructure.
Not before / not after bound the validity window. Public CAs are now capped at 398-day validity, and CA/Browser Forum is moving the limit to 47 days by 2029. Auto-renewing infrastructure (Let's Encrypt, Cloudflare, AWS ACM) rotates well inside that window. A cert that renewed three days ago is normal.
Days remaining is the operational signal. Green band (60+ days) means renewal is not yet due. Amber band (1-59 days) on a Let's Encrypt cert is fine — renewal fires at 30. Amber on a manually-managed cert is a calendar reminder. Red (expired) is an active outage; browsers will not connect.
SAN list covers the hostnames the cert is valid for. A wildcard like *.example.com covers any single sub-domain (one level only). If your hostname is not in the SAN list, the browser will throw NET::ERR_CERT_COMMON_NAME_INVALID. The most common cause is a stale cert issued before a new sub-domain was added to the deployment.
CT log id is a cross-reference into the public CT log set. Click through on crt.sh for the full PEM, the OCSP staple data, and the issuance proof — useful in audit / compliance contexts where you need to demonstrate the cert was logged.
Four jobs this tool covers.
Job 1: Pre-launch verification. Before pushing DNS over to a new sub-domain, query crt.sh for the parent host and confirm the SAN list includes the new name. If it doesn't, the auto-issue flow hasn't fired yet — wait for the next deploy or trigger a manual cert renewal in your platform's dashboard.
Job 2: Outage diagnosis. When users report a browser security warning, the cert SAN list and validity window are the first two things to check. The CT log shows what was actually issued; if production is serving an older cert, the gap between the CT entry and the served cert tells you the renewal hasn't propagated. Combine with our DNS Lookup to confirm DNS is pointing at the right edge.
Job 3: Compliance + audit. SOC 2 + ISO 27001 audits often require evidence that production certs are issued by trusted CAs, are in their validity window, and cover all customer-facing hostnames. The CT log entry plus the SAN list — both surfaced here — is sufficient evidence for most audit checklist items.
Job 4: Acquisition / vendor diligence. When evaluating a SaaS vendor or acquisition target, querying their cert tells you whether they are paying for stronger validation (DigiCert OV / EV), running on a free tier (Let's Encrypt), or hidden behind a CDN (Cloudflare-issued). It also tells you their full sub-domain footprint via the SAN list — useful for understanding what services they actually run. Pair with our Subdomain Finder for the full picture.
Six questions users ask.
What are Certificate Transparency logs?
Certificate Transparency (CT) is a Google-led standard from 2013 that requires every publicly-trusted SSL certificate to be logged in append-only public ledgers within seconds of issuance. Major browsers (Chrome since 2018, Safari since 2021) only trust certs with valid CT proof. The crt.sh aggregator indexes every cert across the major logs and lets you query by domain. We surface the most-recent issued cert for the domain you type — that is what's currently presented in the wild.
Why use CT logs instead of a TLS handshake?
A TLS handshake from a browser would require the inspector to live server-side (no CORS for raw TCP). CT logs are a public, JSON-queryable source of cert truth — every issued cert is there within seconds of issuance. The trade-off: the cert in the CT log is the cert as issued, not necessarily the one being served right now (a server could be misconfigured to serve an old cert). For 99% of cases, the latest CT entry matches what's served. For the 1% where it doesn't, run an actual handshake test with openssl s_client.
How do I read the SAN list?
SAN = Subject Alternative Name. Modern certs are issued for multiple hostnames in a single cert: example.com, www.example.com, api.example.com all on one cert. We render the full SAN list (de-duplicated) so you can see exactly what hostnames the cert covers. A wildcard entry like *.example.com covers any single sub-domain. If your domain is missing from the SAN list of the most-recent cert, that's the cause of the browser warning.
What does the issuer field tell me?
The issuer is the Certificate Authority that signed the cert. Common issuers in 2026: Let's Encrypt (free, auto-renewing, ~60% of public web), Cloudflare (auto-issued for sites behind their proxy), Google Trust Services (for GCP customers), DigiCert / Sectigo (paid, EV/OV certs for finance/health). The issuer alone tells you what infrastructure the site uses — Let's Encrypt + Cloudflare issuer suggests Cloudflare-fronted; DigiCert EV cert suggests an enterprise paying for stronger validation.
What does 'days remaining' mean?
The number of days between today and the not-after date of the most-recent cert. Browsers reject expired certs immediately. We render in three bands: green (60+ days), amber (1-59 days), red (expired). Auto-renewing infrastructure (Let's Encrypt, Cloudflare, AWS ACM) typically rotates certs at the 30-day mark; an amber reading on a Let's Encrypt cert just means renewal hasn't fired yet. A red reading on a production domain is an outage in progress.
Does this tool log my domain query?
No. The query is sent only from your browser to crt.sh. Nothing is logged on Digital Heroes servers. crt.sh is operated by Sectigo and follows their published privacy practices. There is no signup, no email field, and no analytics beacon that includes your query string.