SSL Certificates
free/v1/domain/sslAnalyzes the currently active SSL/TLS certificate for a domain per X.509 standards. Returns certificate details including issuer, validity dates, Subject Alternative Names (SANs), key type, certificate type (DV/OV/EV), and self-signed detection. Enriches data with Certificate Transparency (CT) logs via crt.sh for historical context and subdomain discovery.
What It Does
Performs a TLS handshake with the domain and retrieves the active certificate. Extracts issuer organization (CN, O, C), validity period (notBefore/notAfter with days remaining and expiry warning), SANs, wildcard detection, and certificate type classification (DV, OV, or EV based on issuer patterns). Queries crt.sh Certificate Transparency logs for real certificate metadata enrichment. Detects self-signed certificates by comparing subject CN to issuer CN.
Why It's Useful
Certificate monitoring is critical for preventing HTTPS outages — expired certificates cause immediate user-facing errors. SAN analysis reveals related subdomains for asset inventory, issuer tracking ensures only authorized Certificate Authorities (per CAA records) are issuing certificates, and certificate type classification helps verify compliance with organizational security policies. CT log integration provides an independent verification source.
Use Cases
Certificate Expiry Monitoring
Monitor active certificates approaching expiry to prevent service outages caused by expired SSL/TLS certificates.
Prevent HTTPS outages by catching certificate expirations before they impact users.
Subdomain Discovery
Enumerate subdomains by analyzing Subject Alternative Names (SANs) in the active certificate.
Discover related domains and subdomains covered by the same certificate.
Certificate Configuration Audit
Verify certificate key size, algorithm strength, and issuer comply with organizational security policies.
Ensure certificate configurations meet security standards (e.g., RSA 2048+, SHA-256+).
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
domain | string | Required | The domain to analyze the SSL/TLS certificate forExample: example.com |
port | number | Optional | Port to connect to (default: 443)Example: 443 |
Response Fields
| Field | Type | Description |
|---|---|---|
domain | string | The queried domain |
port | number | The port used for connection |
issued_to | object | Certificate subject (common_name, organization, country) |
issued_by | object | Certificate issuer (common_name, organization, country) |
validity | object | Validity period (not_before, not_after, days_remaining, is_valid, is_expiring_soon). is_expiring_soon uses an adaptive window scaled to the cert lifetime so short-lived 47/100/200-day certs are not perpetually flagged. |
subject_alt_names | array | Subject Alternative Names (SANs) covered by the certificate |
key | object | Key type inferred from issuer (RSA or ECDSA) |
chain | array | Certificate chain information (subject, issuer) |
is_self_signed | boolean | Whether the certificate is self-signed |
tls_verified | boolean | Whether TLS handshake succeeded (certificate trusted by Cloudflare) |
is_wildcard | boolean | Whether the certificate is a wildcard |
is_ev | boolean | Whether the certificate is Extended Validation |
ev_note | string | null | Set when is_ev is true. Explains that EV no longer surfaces in browser UI (Chrome 77 / Firefox 70 moved EV out of the omnibox in 2019). |
certificate_type | string | null | Certificate type (DV, OV, EV, or null if undetermined) — heuristic-based |
lifetime_compliance | object | CA/B Forum Ballot SC081v3 compliance: { applies, max_allowed_days, lifetime_days, compliant, warning }. Warns when the cert exceeds the current limit or will exceed an upcoming one (398 → 200d on 2026-03-15 → 100d on 2027-03-15 → 47d on 2029-03-15). |
caa | object | CAA record check (RFC 8659): { queried, records[], has_records, issuer_authorized, issuewild_set, iodef_set, account_uri_constrained, note }. Cross-references the cert's issuer against published CAA issue/issuewild records. |
parsed | object | null | Phase 2: real X.509 parse of the leaf cert (fetched via crt.sh `?d={id}` and parsed locally). { public_key: { algorithm, key_size, curve }, signature_algorithm: { label, weak, oid }, fingerprints: { sha256, spki_sha256 }, revocation_endpoints: { ocsp[], crl[] }, must_staple, embedded_sct_count, extended_key_usage, serial_number }. Heuristic fields above are overridden by parsed values when available; falls back to heuristics when crt.sh PEM endpoint is slow or unreachable. |
parsed_error | string | null | Phase 2: human-readable reason the X.509 parse failed (e.g., "crt.sh PEM fetch timed out"). Null when parsing succeeded or wasn't attempted. |
note | string | Limitations and methodology note |
Code Examples
curl "https://api.edgedns.dev/v1/domain/ssl" \
-H "Authorization: Bearer YOUR_API_KEY" \
-d "domain=example.com"const response = await fetch(
'https://api.edgedns.dev/v1/domain/ssl?domain=example.com',
{
headers: {
'Authorization': 'Bearer YOUR_API_KEY'
}
}
);
const data = await response.json();
console.log(data);import requests
response = requests.get(
'https://api.edgedns.dev/v1/domain/ssl',
headers={'Authorization': 'Bearer YOUR_API_KEY'},
params={
'domain': 'example.com'
}
)
data = response.json()
print(data)Read the full SSL Certificates guide
Why it matters, real-world use cases, parameters, response fields, and how to call it from Claude, ChatGPT, or Gemini via MCP.
Read the guide →Related Endpoints
External References
Learn more about the standards and protocols behind this endpoint.
Try This Endpoint
Test the SSL Certificates endpoint live in the playground.