SSL Analyzer - Deep SSL/TLS Security Grade
Enter a domain and get an SSL Labs-style report: the live certificate (validity, key strength, signature, chain and hostname match), exactly which TLS protocol versions the server accepts (1.0 through 1.3), the negotiated cipher and whether it offers forward secrecy, and HSTS / preload status - all rolled into one A+ to F grade with the most important fixes listed first.
Related guide: What is an SSL certificate chain?
What does the SSL Analyzer check?
This tool performs a deep inspection of a server's TLS (Transport Layer Security, the protocol behind HTTPS) and grades it from A+ to F. It does four things, each scored independently and then combined into one weighted grade:
- The live certificate - validity window and days to expiry, whether it actually covers the hostname you entered (Common Name and Subject Alternative Names), the public-key type and size, the signature algorithm, and whether the server sent the full chain.
- Protocol support - which TLS versions (1.0, 1.1, 1.2, 1.3) the server will negotiate, tested one version at a time.
- The negotiated cipher - the cipher suite a modern client gets, its strength, and whether it provides forward secrecy.
- Security posture - the HSTS response header and whether it meets the rules for the browser preload list.
The analysis runs directly against the server: it opens a real TLS connection to port 443, captures and parses the certificate the server presents, and attempts a handshake for each protocol version. Because it is analysing the server (not trusting it to fetch content), it does not need a local certificate-authority bundle - but it still reports the certificate's own validity, expiry, and trust signals.
Certificate: is it valid, trusted, and for the right host?
A browser shows a full-page error - and blocks every visitor - if the certificate has expired, does not cover the hostname, or is self-signed (not issued by a trusted Certificate Authority). The analyzer treats all three as critical and caps the grade at F, because no amount of strong ciphers compensates for an untrusted certificate. It also flags a SHA-1 or MD5 signature (deprecated and distrusted) and a weak key (RSA below 2048 bits, or an EC curve below 256 bits). Modern certificates use SHA-256 signatures with a 2048-bit-plus RSA key or a 256-bit EC key.
Protocols: which TLS versions are accepted?
TLS 1.0 (1999) and TLS 1.1 (2006) are formally deprecated by RFC 8996 and removed from modern browsers; leaving them enabled exposes clients to downgrade and legacy-cipher attacks. The analyzer probes each version with its own handshake, so "TLS 1.0: enabled" is a genuine finding, not an inference. The target is to accept only TLS 1.2 and TLS 1.3. TLS 1.3 is rewarded: it is faster (one round-trip) and forward-secret by design.
Cipher & forward secrecy: can past traffic be decrypted later?
Forward secrecy means each session uses a throwaway (ephemeral) key, so even if the server's private key leaks in the future, traffic recorded today cannot be decrypted. It comes from ECDHE/DHE key exchange and is built into every TLS 1.3 suite. Static-RSA key exchange has no forward secrecy and is flagged. The tool also flags legacy primitives (RC4, 3DES, DES, EXPORT, NULL, MD5). Note: it reports the suite a modern client negotiates - enumerating every suite a server accepts requires a full per-suite handshake sweep (such as openssl s_client), which is not run here.
Posture: HSTS and the preload list
HTTP Strict Transport Security (Strict-Transport-Security, RFC 6797) tells the browser to use HTTPS for every future request to the domain, closing the SSL-stripping window on the first visit. To qualify for the browser preload list (shipped inside browsers so even the first visit is forced to HTTPS), the header must have max-age of at least one year (31536000 seconds), plus includeSubDomains and preload. The analyzer reports exactly which of those is missing.
How is the overall grade calculated?
Each of the four areas is scored 0–100. The overall score is a weighted average - the certificate carries the most weight, followed by protocol support, then cipher/forward-secrecy, then posture - and then converted to a letter (A+ ≥ 95, A ≥ 90, B ≥ 80, C ≥ 70, D ≥ 60, otherwise F). On top of the average, hard caps apply for unambiguous trust failures: an expired certificate, a hostname mismatch, or a self-signed certificate caps the grade at F; a SHA-1/MD5 signature, a weak key, or deprecated TLS 1.0/1.1 still enabled caps it at C; and no TLS 1.2/1.3 caps it at D. This mirrors how browsers and SSL Labs treat trust as a precondition rather than just another points category.
SSL Analyzer vs. the SSL Certificate Checker
If you only need to confirm that a certificate is valid and see when it expires, use the simpler SSL Certificate Checker. This SSL Analyzer goes much deeper: it probes the accepted TLS protocol versions, reports the negotiated cipher and forward secrecy, checks HSTS and preload eligibility, and produces an overall A+ to F security grade with a prioritised fix list.
How often should I run it?
Run it after every certificate rotation, server or CDN configuration change, or TLS-library upgrade, and on a recurring schedule (monthly is reasonable) to catch silent regressions - an expiring certificate, a TLS version re-enabled by a config rollback, or a cipher change that dropped forward secrecy.
Frequently Asked Questions
What information is in an SSL certificate?
What's the difference between DV, OV, and EV certificates?
What is a certificate chain?
What's a SAN certificate?
Can I decode any SSL certificate?
How this tool works: This tool runs in your browser and on our server in real time. Depending on the tool, results are computed directly from the input you provide or retrieved from live, authoritative data sources at the moment you run a lookup. We do not sell your data, and your lookups are kept private — any history shown here is stored only on your device.