SSL/TLS Grade Checker — Certificate & Protocol Analysis

HTTPS is no longer optional for public-facing sites. Search engines prefer secure origins, browsers mark HTTP pages as not secure, and modern APIs reject plaintext callbacks. A TLS grade summarizes whether your server presents a trustworthy configuration at the moment of the test — not a historical snapshot from last year's audit.

Letter grades give non-specialists a quick signal. Grade A means the certificate is valid and the protocol is current. Grades B and C often indicate TLS 1.2 without TLS 1.3 or a certificate nearing expiry. D and F typically mean expired certificates, failed handshakes, or legacy protocols that clients may refuse.

The tool performs a live TLS handshake against port 443. It retrieves the leaf certificate, validates that a certificate was returned, records the negotiated protocol string, and extracts expiration metadata. Grading weights protocol version heavily: TLS 1.0 and TLS 1.1 incur large penalties because major browsers disable them by default.

Certificate expiry penalties apply in tiers. Certificates past their notAfter date fail immediately. Those expiring within fourteen days receive a severe penalty; within thirty days, a moderate penalty. The result includes a cipherInfo note clarifying that grading derives from protocol and expiry — not an exhaustive cipher-order review.

TLS 1.3 is the current recommended baseline. It removes obsolete cipher suites, speeds up handshakes, and mandates forward secrecy in practice. TLS 1.2 remains widely deployed and acceptable when configured with strong ciphers, but it scores slightly lower in our grading model to encourage upgrades.

TLS 1.1 and TLS 1.0 are deprecated. PCI-DSS and browser vendors treat them as legacy. If your grade drops because of an old protocol, upgrade the web server or load balancer configuration and retest. Cloud-hosted sites often inherit TLS settings from the platform — verify the edge node, not only the origin.

Forgotten renewals cause more production outages than cipher misconfiguration. Automated certificate authorities issue ninety-day certificates by default, which means renewal must be scripted. Our daysRemaining field shows exactly how long until visitors encounter browser interstitials.

Schedule checks weekly for production domains and immediately after any infrastructure migration. Pair this tool with your certificate decoder for PEM inspection when you need issuer, subject, and Subject Alternative Name details from a file rather than a live fetch.

Server Name Indication tells the server which certificate to present on shared IP hosts. Enter the exact hostname users type in the browser — www.example.com and example.com may return different certificates if only one name is on the cert SAN list.

Non-standard HTTPS ports are not probed by this tool; it always connects to 443. If your service listens elsewhere, test through the load balancer hostname that terminates TLS for public traffic.

Grade A (score 90+): Valid certificate, modern protocol, comfortable expiry window. Grade B (75–89): Valid but TLS 1.2 or certificate within thirty days of expiry. Grade C (60–74): Multiple minor issues stacking. Grade D (45–59): Serious protocol or expiry concern. Grade F: Invalid, missing, or expired certificate, or handshake failure.

A single grade does not replace a full penetration test. Use it as a continuous smoke test alongside security headers and mixed-content scans on the same domain.

Expired Let's Encrypt or corporate certificates after personnel changes. Load balancers serving a default certificate when SNI is misconfigured. Legacy Java or Windows servers still offering TLS 1.0 for old clients. Staging environments copying production DNS but not renewing certs.

Fix paths are straightforward: renew or reissue the certificate, disable old protocols at the termination layer, and verify the full chain is sent during handshake. Retest until grade A is stable across multiple checks.

Before go-live on a new domain or subdomain. After CDN or WAF onboarding — the edge certificate may differ from origin. During compliance questionnaires that ask for current TLS version evidence. When users report certificate warnings in specific regions.

DevOps teams add hostname checks to post-deploy pipelines. Security reviewers document grade and expiry alongside header scores for a concise HTTPS posture summary.

Results reflect one connection attempt from our server at query time. Geographic anycast may yield different certificates at other edges. We do not enumerate every cipher suite or test client compatibility matrices.

Internal-only hostnames unreachable from the public internet cannot be checked — use the certificate decoder with exported PEM files for private networks. Rate limits apply to prevent abuse of outbound TLS connections.