# Bulk SSL Certificate Checker โ€” Expiry, Issuer & TLS Audit (`logiover/bulk-ssl-certificate-checker`) Actor Check SSL/TLS certificates for thousands of domains at once โ€” expiry date, issuer, SANs, days remaining, TLS versions supported and chain validation. No API key. Export to CSV or JSON. Ideal for security audits, certificate monitoring and compliance. - **URL**: https://apify.com/logiover/bulk-ssl-certificate-checker.md - **Developed by:** [Logiover](https://apify.com/logiover) (community) - **Categories:** Developer tools, Automation - **Stats:** 2 total users, 1 monthly users, 100.0% runs succeeded, 0 bookmarks - **User rating**: No ratings yet ## Pricing from $3.50 / 1,000 results This Actor is paid per event. You are not charged for the Apify platform usage, but only a fixed price for specific events. Since this Actor supports Apify Store discounts, the price gets lower the higher subscription plan you have. Learn more: https://docs.apify.com/platform/actors/running/actors-in-store#pay-per-event ## What's an Apify Actor? Actors are a software tools running on the Apify platform, for all kinds of web data extraction and automation use cases. In Batch mode, an Actor accepts a well-defined JSON input, performs an action which can take anything from a few seconds to a few hours, and optionally produces a well-defined JSON output, datasets with results, or files in key-value store. In Standby mode, an Actor provides a web server which can be used as a website, API, or an MCP server. Actors are written with capital "A". ## How to integrate an Actor? If asked about integration, you help developers integrate Actors into their projects. You adapt to their stack and deliver integrations that are safe, well-documented, and production-ready. The best way to integrate Actors is as follows. In JavaScript/TypeScript projects, use official [JavaScript/TypeScript client](https://docs.apify.com/api/client/js.md): ```bash npm install apify-client ``` In Python projects, use official [Python client library](https://docs.apify.com/api/client/python.md): ```bash pip install apify-client ``` In shell scripts, use [Apify CLI](https://docs.apify.com/cli/docs.md): ````bash # MacOS / Linux curl -fsSL https://apify.com/install-cli.sh | bash # Windows irm https://apify.com/install-cli.ps1 | iex ```bash In AI frameworks, you might use the [Apify MCP server](https://docs.apify.com/platform/integrations/mcp.md). If your project is in a different language, use the [REST API](https://docs.apify.com/api/v2.md). For usage examples, see the [API](#api) section below. For more details, see Apify documentation as [Markdown index](https://docs.apify.com/llms.txt) and [Markdown full-text](https://docs.apify.com/llms-full.txt). # README ## Bulk SSL Certificate Checker ๐Ÿ” โ€” Expiry, Issuer & TLS Audit **Check SSL/TLS certificates for thousands of domains in a single run.** This **bulk SSL checker** connects to every domain on port 443, grabs the full certificate chain, and returns a detailed row with **expiry date, issuer, SANs, days remaining, TLS version, key algorithm, chain validation** and more โ€” all from a simple list of domains. **No API key, no external service, no rate limits** โ€” pure TLS handshake inspection. Paste a list of domains and the actor resolves them in parallel, producing thousands of rows you can filter, sort and export to **CSV, Excel or JSON**. Find expired certs, flag expiring-soon certs, audit TLS versions, and identify self-signed and weak-key certificates at scale. > Looking for an **SSL certificate checker**, a **bulk TLS audit tool**, a **certificate expiry monitor**, or a **free SSL checker API without a key**? This actor does it all in one parallel run. --- ### โœจ Key features - ๐Ÿ” **Bulk SSL inspection** โ€” check certificates for thousands of domains in a single run, in parallel. - ๐Ÿ“… **Expiry tracking** โ€” `validTo`, `daysRemaining`, `expired` and `expiringSoon` (<30 days) fields for every domain. - ๐Ÿข **Full issuer info** โ€” issuer organization (O), common name (CN), and whether the cert is self-signed. - ๐Ÿงฉ **SAN extraction** โ€” every Subject Alternative Name (DNS) is extracted and listed, with a count. - ๐Ÿ”‘ **Key details** โ€” signature algorithm, public key algorithm (RSA / EC), and key size in bits. - ๐Ÿ”— **Chain validation** โ€” TLS `authorized` status (chain validity), chain length, and authorization error message. - ๐Ÿ“ก **TLS version probing** โ€” the negotiated TLS version plus a scan of which TLS versions the server accepts (TLSv1, 1.1, 1.2, 1.3). - โšก **High concurrency** โ€” configurable parallel connections (default 10, up to 100). - ๐Ÿ›ก๏ธ **No API key** โ€” pure TLS socket inspection using Node.js `tls` module; no external SaaS calls. - ๐Ÿงน **Robust input parsing** โ€” schemes, paths, ports and trailing dots stripped automatically; duplicates removed. ### ๐Ÿ’ก Use cases - **Certificate expiry monitoring** โ€” run weekly on your domain portfolio and flag anything expiring within 30 days before outages happen. - **Security & compliance audits** โ€” inventory TLS versions across infrastructure; flag self-signed, weak-key (RSA <2048), and deprecated-TLS hosts for remediation. - **M&A / due diligence** โ€” assess the SSL/TLS posture of an acquisition target's public-facing assets at scale. - **Competitor & vendor analysis** โ€” check which CA your competitors use, when their certs expire, and how they manage their SAN coverage. - **DevSecOps & CI/CD** โ€” schedule recurring runs as a canary and diff datasets to detect unexpected certificate changes. - **Bug bounty & recon** โ€” map SAN lists to discover additional domains and subdomains behind a single certificate. ### ๐Ÿ“ฆ What you get Each row in the dataset is **one domain's certificate summary**: | Field | Description | |-------|-------------| | `domain` | The queried domain (normalized) | | `valid` | Whether the TLS connection was `authorized` by the system trust store | | `subjectCN` | Common Name on the certificate | | `issuerOrg` | Issuer organization (e.g. "Let's Encrypt", "DigiCert Inc") | | `issuerCN` | Issuer common name | | `validFrom` | Certificate not-before date (ISO 8601) | | `validTo` | Certificate not-after / expiry date (ISO 8601) | | `daysRemaining` | Number of days until expiry โ€” negative if already expired | | `expired` | `true` if the certificate has expired | | `expiringSoon` | `true` if the certificate expires within 30 days | | `selfSigned` | `true` if the certificate appears self-signed (chain length 1, issuer = subject) | | `signatureAlgorithm` | e.g. `sha256WithRSAEncryption` | | `publicKeyAlgorithm` | `RSA` or `EC (P-256)` etc. | | `keySize` | Public key size in bits | | `sans` | Comma-separated list of DNS SANs on the certificate | | `sansCount` | Number of SAN entries | | `tlsVersion` | TLS version negotiated during the connection (e.g. `TLSv1.3`) | | `tlsVersionsSupported` | Comma-separated list of TLS versions the server accepted (probed individually) | | `chainLength` | Number of certificates in the trust chain | | `chainValid` | `true`/`false` โ€” whether the full chain passes system trust validation | | `wildcard` | `true` if any SAN is a wildcard (`*.example.com`) | | `error` | Error message if connection or handshake failed | | `checkedAt` | ISO 8601 timestamp of when the scan was run | #### Example output ```json [ { "domain": "github.com", "valid": "true", "subjectCN": "github.com", "issuerOrg": "DigiCert Inc", "issuerCN": "DigiCert TLS Hybrid ECC SHA384 2020 CA1", "validFrom": "2024-03-12T00:00:00.000Z", "validTo": "2025-03-14T23:59:59.000Z", "daysRemaining": "264", "expired": "false", "expiringSoon": "false", "selfSigned": "false", "signatureAlgorithm": "ECDSA-SHA384", "publicKeyAlgorithm": "EC (P-256)", "keySize": "256", "sans": "github.com, www.github.com, *.github.com", "sansCount": "3", "tlsVersion": "TLSv1.3", "tlsVersionsSupported": "TLSv1.2, TLSv1.3", "chainLength": "3", "chainValid": "true", "wildcard": "true", "checkedAt": "2026-06-24T12:00:00.000Z" } ] ```` ### ๐Ÿš€ How to use it 1. Click **Try for free / Start**. 2. Paste your domain list into **Domains** โ€” one per line (`example.com` or `https://example.com/path`, both work). 3. (Optional) Tune **Max Concurrency** for large lists and keep **Proxy** enabled. 4. Click **Save & Start**, then export the dataset as **JSON, CSV, Excel or via API**. ### โš™๏ธ Input | Field | Type | Description | Default | |-------|------|-------------|---------| | `domains` | array (required) | Domains to check SSL certificates for. Schemes and paths are stripped automatically. | โ€“ | | `maxConcurrency` | integer | Parallel TLS connections. Higher is faster but may overwhelm small servers. | `10` (max `100`) | | `proxyConfiguration` | object | Proxy used for the initial TCP connection. | Apify Proxy (datacenter) | #### Example input ```json { "domains": ["google.com", "github.com", "stackoverflow.com", "expired.badssl.com"], "maxConcurrency": 10, "proxyConfiguration": { "useApifyProxy": true } } ``` ### ๐Ÿ” How it works For every domain, the actor opens a **raw TCP socket to port 443**, upgrades it to a TLS connection via Node.js `tls.connect()`, and captures the full peer certificate chain without downloading any HTTP content. The TLS handshake retrieves: - The **leaf certificate** (subject, issuer, validity window, SANs, key material) - The **intermediate and root certificates** (for chain length and trust validation) - The **negotiated TLS version** (`tlsSocket.getProtocol()`) After the initial handshake, the actor also **probes each TLS version independently** (TLSv1, 1.1, 1.2, 1.3) to report which versions the server actually accepts โ€” this is a separate connection per version so it adds latency but produces comprehensive data. **No API key, no SSL Labs dependency, no rate limiting** โ€” everything happens client-side in the Apify runtime. ### ๐Ÿงฐ Tips & best practices - Provide bare domains (`example.com`) for cleanest results; subdomains work too. - The TLS version probe adds ~2โ€“3 seconds per domain (3 extra connections); the field will be empty if the probes time out. - Servers that don't listen on port 443 (plain HTTP only) return `valid: "false"` with a connection error. - Filter by `expiringSoon: "true"` to catch certificates that need renewal within 30 days. - Filter by `selfSigned: "true"` and `chainValid: "false"` to flag configuration problems. - Export to CSV/Excel and sort by `daysRemaining` ascending to prioritize renewals. ### โ“ FAQ #### How do I check SSL certificates for many domains at once? Paste your full domain list into the **Domains** field and run the actor once. It connects to every domain over TLS, extracts the certificate details, and returns one row per domain. #### Can I monitor certificate expiry in bulk? Yes โ€” every row includes `validTo`, `daysRemaining`, `expired` and `expiringSoon` (<30 days). Schedule a recurring run and filter by `expiringSoon: "true"` to see what needs renewal. #### Is this a free SSL checker API without a key? There's no API key to manage. The actor uses Node.js TLS sockets โ€” no external SaaS, no SSL Labs rate limits. Just provide domains and run. #### Which TLS versions does it check? The actor probes TLSv1, TLSv1.1, TLSv1.2 and TLSv1.3 individually and reports which ones the server accepts. It also reports the TLS version negotiated during the primary handshake. #### Can I export SSL certificate data to CSV or JSON? Yes โ€” download the dataset as **CSV, JSON or Excel**, or pull it through the REST API. Each domain is one row, perfect for spreadsheet filtering. #### What happens with a domain that has no SSL (HTTP-only)? The connection to port 443 fails, and the row is logged with `valid: "false"` and the error message in the `error` field. The run never crashes. ### ๐Ÿ”— Related actors by the same author - **[Bulk HTTP Security Headers Analyzer](https://apify.com/logiover/bulk-http-security-headers)** โ€” scan CSP, HSTS, X-Frame-Options and score security posture of any URL. - **[Bulk DNS Records Lookup](https://apify.com/logiover/bulk-dns-records-lookup)** โ€” resolve A, AAAA, MX, TXT, NS, CNAME, SOA, CAA records via DNS-over-HTTPS. - **[Bulk Email Deliverability Checker](https://apify.com/logiover/bulk-email-deliverability-checker)** โ€” MX, SPF, DKIM, DMARC and BIMI audit per domain. - **[Bulk URL Status Checker](https://apify.com/logiover/bulk-url-status-checker)** โ€” HTTP status codes and redirect chains for large URL lists. - **[Subdomain Finder](https://apify.com/logiover/subdomain-finder)** โ€” discover subdomains via Certificate Transparency logs. ### ๐Ÿ“ Changelog #### 2026-06-24 - Initial release โ€” bulk SSL/TLS certificate inspection (expiry, issuer, SANs, TLS versions, chain validation), no API key, CSV/JSON export. # Actor input Schema ## `domains` (type: `array`): List of domains (or URLs) to check SSL certificates for. One entry per domain, e.g. example.com. Schemes (https://), paths and ports are stripped automatically. ## `maxConcurrency` (type: `integer`): How many domains to check in parallel. Higher is faster but may trigger rate limits. ## `proxyConfiguration` (type: `object`): Proxy used for the SSL connections. Recommended to avoid IP-based rate limiting. ## Actor input object example ```json { "domains": [ "google.com", "github.com" ], "maxConcurrency": 10, "proxyConfiguration": { "useApifyProxy": true } } ``` # Actor output Schema ## `results` (type: `string`): The dataset containing one row per domain with TLS/HTTPS reachability, status code, response time and error classification. # API You can run this Actor programmatically using our API. Below are code examples in JavaScript, Python, and CLI, as well as the OpenAPI specification and MCP server setup. ## JavaScript example ```javascript import { ApifyClient } from 'apify-client'; // Initialize the ApifyClient with your Apify API token // Replace the '' with your token const client = new ApifyClient({ token: '', }); // Prepare Actor input const input = { "domains": [ "google.com", "github.com" ] }; // Run the Actor and wait for it to finish const run = await client.actor("logiover/bulk-ssl-certificate-checker").call(input); // Fetch and print Actor results from the run's dataset (if any) console.log('Results from dataset'); console.log(`๐Ÿ’พ Check your data here: https://console.apify.com/storage/datasets/${run.defaultDatasetId}`); const { items } = await client.dataset(run.defaultDatasetId).listItems(); items.forEach((item) => { console.dir(item); }); // ๐Ÿ“š Want to learn more ๐Ÿ“–? Go to โ†’ https://docs.apify.com/api/client/js/docs ``` ## Python example ```python from apify_client import ApifyClient # Initialize the ApifyClient with your Apify API token # Replace '' with your token. client = ApifyClient("") # Prepare the Actor input run_input = { "domains": [ "google.com", "github.com", ] } # Run the Actor and wait for it to finish run = client.actor("logiover/bulk-ssl-certificate-checker").call(run_input=run_input) # Fetch and print Actor results from the run's dataset (if there are any) print("๐Ÿ’พ Check your data here: https://console.apify.com/storage/datasets/" + run["defaultDatasetId"]) for item in client.dataset(run["defaultDatasetId"]).iterate_items(): print(item) # ๐Ÿ“š Want to learn more ๐Ÿ“–? Go to โ†’ https://docs.apify.com/api/client/python/docs/quick-start ``` ## CLI example ```bash echo '{ "domains": [ "google.com", "github.com" ] }' | apify call logiover/bulk-ssl-certificate-checker --silent --output-dataset ``` ## MCP server setup ```json { "mcpServers": { "apify": { "command": "npx", "args": [ "mcp-remote", "https://mcp.apify.com/?tools=logiover/bulk-ssl-certificate-checker", "--header", "Authorization: Bearer " ] } } } ``` ## OpenAPI specification ```json { "openapi": "3.0.1", "info": { "title": "Bulk SSL Certificate Checker โ€” Expiry, Issuer & TLS Audit", "description": "Check SSL/TLS certificates for thousands of domains at once โ€” expiry date, issuer, SANs, days remaining, TLS versions supported and chain validation. No API key. Export to CSV or JSON. Ideal for security audits, certificate monitoring and compliance.", "version": "1.0", "x-build-id": "pQBm3N4OJy167cTr7" }, "servers": [ { "url": "https://api.apify.com/v2" } ], "paths": { "/acts/logiover~bulk-ssl-certificate-checker/run-sync-get-dataset-items": { "post": { "operationId": "run-sync-get-dataset-items-logiover-bulk-ssl-certificate-checker", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for its completion, and returns Actor's dataset items in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } }, "/acts/logiover~bulk-ssl-certificate-checker/runs": { "post": { "operationId": "runs-sync-logiover-bulk-ssl-certificate-checker", "x-openai-isConsequential": false, "summary": "Executes an Actor and returns information about the initiated run in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/runsResponseSchema" } } } } } } }, "/acts/logiover~bulk-ssl-certificate-checker/run-sync": { "post": { "operationId": "run-sync-logiover-bulk-ssl-certificate-checker", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for completion, and returns the OUTPUT from Key-value store in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } } }, "components": { "schemas": { "inputSchema": { "type": "object", "required": [ "domains" ], "properties": { "domains": { "title": "Domains", "type": "array", "description": "List of domains (or URLs) to check SSL certificates for. One entry per domain, e.g. example.com. Schemes (https://), paths and ports are stripped automatically.", "items": { "type": "string" } }, "maxConcurrency": { "title": "Max Concurrency", "minimum": 1, "maximum": 100, "type": "integer", "description": "How many domains to check in parallel. Higher is faster but may trigger rate limits.", "default": 10 }, "proxyConfiguration": { "title": "Proxy Configuration", "type": "object", "description": "Proxy used for the SSL connections. Recommended to avoid IP-based rate limiting.", "default": { "useApifyProxy": true } } } }, "runsResponseSchema": { "type": "object", "properties": { "data": { "type": "object", "properties": { "id": { "type": "string" }, "actId": { "type": "string" }, "userId": { "type": "string" }, "startedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "finishedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "status": { "type": "string", "example": "READY" }, "meta": { "type": "object", "properties": { "origin": { "type": "string", "example": "API" }, "userAgent": { "type": "string" } } }, "stats": { "type": "object", "properties": { "inputBodyLen": { "type": "integer", "example": 2000 }, "rebootCount": { "type": "integer", "example": 0 }, "restartCount": { "type": "integer", "example": 0 }, "resurrectCount": { "type": "integer", "example": 0 }, "computeUnits": { "type": "integer", "example": 0 } } }, "options": { "type": "object", "properties": { "build": { "type": "string", "example": "latest" }, "timeoutSecs": { "type": "integer", "example": 300 }, "memoryMbytes": { "type": "integer", "example": 1024 }, "diskMbytes": { "type": "integer", "example": 2048 } } }, "buildId": { "type": "string" }, "defaultKeyValueStoreId": { "type": "string" }, "defaultDatasetId": { "type": "string" }, "defaultRequestQueueId": { "type": "string" }, "buildNumber": { "type": "string", "example": "1.0.0" }, "containerUrl": { "type": "string" }, "usage": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "integer", "example": 1 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } }, "usageTotalUsd": { "type": "number", "example": 0.00005 }, "usageUsd": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "number", "example": 0.00005 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } } } } } } } } } ```