This site is not affiliated with or endorsed by Cloudflare, Inc. It simply showcases experiments built using Cloudflare services.
Cloudflare Experiments

SSL Certificate Inspector

Inspect TLS certificate metadata for a domain using Certificate Transparency and HTTPS probes

Inspect TLS certificate metadata for a domain. Uses Certificate Transparency logs (crt.sh) for issuer, subject, validity, SAN list, and days-until-expiry, plus an HTTPS HEAD probe for reachability.

Features

  • GET /inspect?domain= - Certificate metadata + reachability
  • CT-based cert data - Issuer, subject, validity window, SANs
  • HTTPS probe - Confirms the domain is reachable over TLS
  • Honest limitations - Documents that full live cert chain inspection is limited in Workers

API Reference

GET /inspect

Inspect certificate metadata for a hostname.

Prop

Type

Example Request

curl "https://your-worker.workers.dev/inspect?domain=cloudflare.com"

Success Response

{
  "domain": "cloudflare.com",
  "reachable": true,
  "tlsVersion": "TLSv1.3",
  "certificate": {
    "issuer": "CN=WE1,O=Google Trust Services,C=US",
    "subject": "CN=cloudflare.com",
    "notBefore": "2025-01-01T00:00:00",
    "notAfter": "2026-01-01T00:00:00",
    "daysUntilExpiry": 180,
    "san": ["cloudflare.com", "*.cloudflare.com"],
    "serialNumber": "03:AB:CD..."
  },
  "source": "certificate-transparency",
  "note": "Certificate metadata comes from Certificate Transparency logs (crt.sh)..."
}

Error Codes

  • 400 - Invalid domain (INVALID_DOMAIN)
  • 502 - Lookup or probe failed (INSPECT_ERROR)

Workers cannot perform arbitrary live TLS certificate handshakes for any domain. This experiment uses CT logs for certificate fields and a HEAD request for reachability. For production cert monitoring, consider dedicated TLS inspection tooling.

Use Cases

  • Check certificate expiry and SAN coverage from the edge
  • Learn CT log lookup patterns for domain security audits
  • Prototype cert monitoring alerts before integrating a full scanner

Limitations

  • Certificate data comes from CT logs, not a live handshake
  • crt.sh availability and freshness affect results
  • tlsVersion on the Worker request reflects the Worker's outbound fetch, not the target's full chain

Deployment

Click the deploy button

Deploy to Cloudflare Workers

Test your deployment

curl "https://your-worker.workers.dev/inspect?domain=cloudflare.com"

Local Development

cd apps/experiments/ssl-certificate-inspector
npm install
npm run dev
curl "http://localhost:8787/inspect?domain=example.com"

Cloudflare Features Used

  • Workers - Edge compute and outbound fetch
  • Fetch API - HTTPS reachability probe

Response Headers

Inspect HTTP response headers for any URL from the edge

Multi-PoP Latency Map

Measure fetch latency and report the Cloudflare colo that served the Worker invocation

On this page

FeaturesAPI ReferenceGET /inspectExample RequestSuccess ResponseError CodesUse CasesLimitationsDeploymentClick the deploy buttonTest your deploymentLocal DevelopmentCloudflare Features Used