Bulk SSL Certificate Checker 🔐 — Expiry, Issuer & TLS Audit

Check SSL/TLS certificates for thousands of domains in a single run. This bulk SSL checker connects to every domain on port 443, grabs the full certificate chain, and returns a detailed row with expiry date, issuer, SANs, days remaining, TLS version, key algorithm, chain validation and more — all from a simple list of domains. No API key, no external service, no rate limits — pure TLS handshake inspection.

Paste a list of domains and the actor resolves them in parallel, producing thousands of rows you can filter, sort and export to CSV, Excel or JSON. Find expired certs, flag expiring-soon certs, audit TLS versions, and identify self-signed and weak-key certificates at scale.

Looking for an SSL certificate checker, a bulk TLS audit tool, a certificate expiry monitor, or a free SSL checker API without a key? This actor does it all in one parallel run.

---

✨ Key features

• 🔐 Bulk SSL inspection — check certificates for thousands of domains in a single run, in parallel.
• 📅 Expiry tracking — validTo, daysRemaining, expired and expiringSoon (<30 days) fields for every domain.
• 🏢 Full issuer info — issuer organization (O), common name (CN), and whether the cert is self-signed.
• 🧩 SAN extraction — every Subject Alternative Name (DNS) is extracted and listed, with a count.
• 🔑 Key details — signature algorithm, public key algorithm (RSA / EC), and key size in bits.
• 🔗 Chain validation — TLS authorized status (chain validity), chain length, and authorization error message.
• 📡 TLS version probing — the negotiated TLS version plus a scan of which TLS versions the server accepts (TLSv1, 1.1, 1.2, 1.3).
• ⚡ High concurrency — configurable parallel connections (default 10, up to 100).
• 🛡️ No API key — pure TLS socket inspection using Node.js tls module; no external SaaS calls.
• 🧹 Robust input parsing — schemes, paths, ports and trailing dots stripped automatically; duplicates removed.

💡 Use cases

• Certificate expiry monitoring — run weekly on your domain portfolio and flag anything expiring within 30 days before outages happen.
• Security & compliance audits — inventory TLS versions across infrastructure; flag self-signed, weak-key (RSA <2048), and deprecated-TLS hosts for remediation.
• M&A / due diligence — assess the SSL/TLS posture of an acquisition target's public-facing assets at scale.
• Competitor & vendor analysis — check which CA your competitors use, when their certs expire, and how they manage their SAN coverage.
• DevSecOps & CI/CD — schedule recurring runs as a canary and diff datasets to detect unexpected certificate changes.
• Bug bounty & recon — map SAN lists to discover additional domains and subdomains behind a single certificate.

📦 What you get

Each row in the dataset is one domain's certificate summary:

Field	Description
domain	The queried domain (normalized)
valid	Whether the TLS connection was authorized by the system trust store
subjectCN	Common Name on the certificate
issuerOrg	Issuer organization (e.g. "Let's Encrypt", "DigiCert Inc")
issuerCN	Issuer common name
validFrom	Certificate not-before date (ISO 8601)
validTo	Certificate not-after / expiry date (ISO 8601)
daysRemaining	Number of days until expiry — negative if already expired
expired	true if the certificate has expired
expiringSoon	true if the certificate expires within 30 days
selfSigned	true if the certificate appears self-signed (chain length 1, issuer = subject)
signatureAlgorithm	e.g. sha256WithRSAEncryption
publicKeyAlgorithm	RSA or EC (P-256) etc.
keySize	Public key size in bits
sans	Comma-separated list of DNS SANs on the certificate
sansCount	Number of SAN entries
tlsVersion	TLS version negotiated during the connection (e.g. TLSv1.3)
tlsVersionsSupported	Comma-separated list of TLS versions the server accepted (probed individually)
chainLength	Number of certificates in the trust chain
chainValid	true/false — whether the full chain passes system trust validation
wildcard	true if any SAN is a wildcard (*.example.com)
error	Error message if connection or handshake failed
checkedAt	ISO 8601 timestamp of when the scan was run

Example output

[
  {
    "domain": "github.com",
    "valid": "true",
    "subjectCN": "github.com",
    "issuerOrg": "DigiCert Inc",
    "issuerCN": "DigiCert TLS Hybrid ECC SHA384 2020 CA1",
    "validFrom": "2024-03-12T00:00:00.000Z",
    "validTo": "2025-03-14T23:59:59.000Z",
    "daysRemaining": "264",
    "expired": "false",
    "expiringSoon": "false",
    "selfSigned": "false",
    "signatureAlgorithm": "ECDSA-SHA384",
    "publicKeyAlgorithm": "EC (P-256)",
    "keySize": "256",
    "sans": "github.com, www.github.com, *.github.com",
    "sansCount": "3",
    "tlsVersion": "TLSv1.3",
    "tlsVersionsSupported": "TLSv1.2, TLSv1.3",
    "chainLength": "3",
    "chainValid": "true",
    "wildcard": "true",
    "checkedAt": "2026-06-24T12:00:00.000Z"
  }
]

🚀 How to use it

1. Click Try for free / Start.
2. Paste your domain list into Domains — one per line (example.com or https://example.com/path, both work).
3. (Optional) Tune Max Concurrency for large lists and keep Proxy enabled.
4. Click Save & Start, then export the dataset as JSON, CSV, Excel or via API.

⚙️ Input

Field	Type	Description	Default
domains	array (required)	Domains to check SSL certificates for. Schemes and paths are stripped automatically.	–
maxConcurrency	integer	Parallel TLS connections. Higher is faster but may overwhelm small servers.	10 (max 100)
proxyConfiguration	object	Proxy used for the initial TCP connection.	Apify Proxy (datacenter)

Example input

{
  "domains": ["google.com", "github.com", "stackoverflow.com", "expired.badssl.com"],
  "maxConcurrency": 10,
  "proxyConfiguration": { "useApifyProxy": true }
}

🔍 How it works

For every domain, the actor opens a raw TCP socket to port 443, upgrades it to a TLS connection via Node.js tls.connect(), and captures the full peer certificate chain without downloading any HTTP content. The TLS handshake retrieves:

• The leaf certificate (subject, issuer, validity window, SANs, key material)
• The intermediate and root certificates (for chain length and trust validation)
• The negotiated TLS version (tlsSocket.getProtocol())

After the initial handshake, the actor also probes each TLS version independently (TLSv1, 1.1, 1.2, 1.3) to report which versions the server actually accepts — this is a separate connection per version so it adds latency but produces comprehensive data.

No API key, no SSL Labs dependency, no rate limiting — everything happens client-side in the Apify runtime.

🧰 Tips & best practices

• Provide bare domains (example.com) for cleanest results; subdomains work too.
• The TLS version probe adds ~2–3 seconds per domain (3 extra connections); the field will be empty if the probes time out.
• Servers that don't listen on port 443 (plain HTTP only) return valid: "false" with a connection error.
• Filter by expiringSoon: "true" to catch certificates that need renewal within 30 days.
• Filter by selfSigned: "true" and chainValid: "false" to flag configuration problems.
• Export to CSV/Excel and sort by daysRemaining ascending to prioritize renewals.

❓ FAQ

How do I check SSL certificates for many domains at once?

Paste your full domain list into the Domains field and run the actor once. It connects to every domain over TLS, extracts the certificate details, and returns one row per domain.

Can I monitor certificate expiry in bulk?

Yes — every row includes validTo, daysRemaining, expired and expiringSoon (<30 days). Schedule a recurring run and filter by expiringSoon: "true" to see what needs renewal.

Is this a free SSL checker API without a key?

There's no API key to manage. The actor uses Node.js TLS sockets — no external SaaS, no SSL Labs rate limits. Just provide domains and run.

Which TLS versions does it check?

The actor probes TLSv1, TLSv1.1, TLSv1.2 and TLSv1.3 individually and reports which ones the server accepts. It also reports the TLS version negotiated during the primary handshake.

Can I export SSL certificate data to CSV or JSON?

Yes — download the dataset as CSV, JSON or Excel, or pull it through the REST API. Each domain is one row, perfect for spreadsheet filtering.

What happens with a domain that has no SSL (HTTP-only)?

The connection to port 443 fails, and the row is logged with valid: "false" and the error message in the error field. The run never crashes.

🔗 Related actors by the same author

• Bulk HTTP Security Headers Analyzer — scan CSP, HSTS, X-Frame-Options and score security posture of any URL.
• Bulk DNS Records Lookup — resolve A, AAAA, MX, TXT, NS, CNAME, SOA, CAA records via DNS-over-HTTPS.
• Bulk Email Deliverability Checker — MX, SPF, DKIM, DMARC and BIMI audit per domain.
• Bulk URL Status Checker — HTTP status codes and redirect chains for large URL lists.
• Subdomain Finder — discover subdomains via Certificate Transparency logs.

📝 Changelog

2026-06-24

• Initial release — bulk SSL/TLS certificate inspection (expiry, issuer, SANs, TLS versions, chain validation), no API key, CSV/JSON export.