Use Cloudflare’s PKI and TLS toolkit to check online certificate.

See how to use Cloudflare’s PKI and TLS toolkit blog post for basic details.

Inspect host for possible issues.

$ cfssl scan sleeplessbeastie.eu
Scanning sleeplessbeastie.eu...
=== sleeplessbeastie.eu ===
{
  "Broad": {
    "IntermediateCAs": {
      "grade": "Skipped"
    }
  },
  "Connectivity": {
    "CloudFlareStatus": {
      "grade": "Skipped",
      "error": "Couldn't parse CIDR range: invalid CIDR address: 131.0.72.0/222400:cb00::/32"
    },
    "DNSLookup": {
      "grade": "Good",
      "output": [
        "192.0.78.138",
        "192.0.78.223"
      ]
    },
    "TCPDial": {
      "grade": "Good"
    },
    "TLSDial": {
      "grade": "Good"
    }
  },
  "PKI": {
    "ChainExpiration": {
      "grade": "Good",
      "output": "2022-11-03T10:07:28Z"
    },
    "ChainValidation": {
      "grade": "Warning",
      "output": [
        "Certificate for R3 is valid for too long"
      ]
    },
    "MultipleCerts": {
      "grade": "Good"
    }
  },
  "TLSHandshake": {
    "CertsByCiphers": {
      "grade": "Good",
      "output": {
        "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA": "SHA256WithRSA",
        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256": "SHA256WithRSA",
        "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA": "SHA256WithRSA",
        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384": "SHA256WithRSA"
      }
    },
    "CertsBySigAlgs": {
      "grade": "Good",
      "output": {
        "{RSA,SHA1}": "SHA256WithRSA",
        "{RSA,SHA256}": "SHA256WithRSA",
        "{RSA,SHA384}": "SHA256WithRSA"
      }
    },
    "CipherSuite": {
      "grade": "Good",
      "output": [
        {
          "ECDHE-RSA-AES128-GCM-SHA256": [
            {
              "TLS 1.2": [
                "secp256r1",
                "secp384r1",
                "secp224r1",
                "secp521r1"
              ]
            }
          ]
        },
        {
          "ECDHE-RSA-AES256-GCM-SHA384": [
            {
              "TLS 1.2": [
                "secp256r1",
                "secp384r1",
                "secp224r1",
                "secp521r1"
              ]
            }
          ]
        },
        {
          "ECDHE-RSA-AES128-SHA": [
            {
              "TLS 1.2": [
                "secp256r1",
                "secp384r1",
                "secp224r1",
                "secp521r1"
              ]
            }
          ]
        },
        {
          "ECDHE-RSA-AES256-SHA": [
            {
              "TLS 1.2": [
                "secp256r1",
                "secp384r1",
                "secp224r1",
                "secp521r1"
              ]
            }
          ]
        }
      ]
    },
    "ECCurves": {
      "grade": "Good",
      "output": [
        "secp256r1",
        "secp384r1",
        "secp224r1",
        "secp521r1"
      ]
    },
    "SigAlgs": {
      "grade": "Good",
      "output": [
        {
          "signature": "RSA",
          "hash": "SHA256"
        },
        {
          "signature": "RSA",
          "hash": "SHA384"
        },
        {
          "signature": "RSA",
          "hash": "SHA1"
        }
      ]
    }
  },
  "TLSSession": {
    "SessionResume": {
      "grade": "Good",
      "output": {
        "192.0.78.138": true,
        "192.0.78.223": true
      }
    }
  }
}

Display certificate details for specific host.

$ cfssl certinfo -domain sleeplessbeastie.eu
{
  "subject": {
    "common_name": "tls.automattic.com",
    "names": [
      "tls.automattic.com"
    ]
  },
  "issuer": {
    "common_name": "R3",
    "country": "US",
    "organization": "Let's Encrypt",
    "names": [
      "US",
      "Let's Encrypt",
      "R3"
    ]
  },
  "serial_number": "329687950352914095258704810615509585734723",
  "sans": [
    "apkgo.game.blog",
    "bhhpmaccounting.com",
    "blog.kinesis-cem.com",
    "burhanabdullahi.com",
    "cecilesavelli.com",
    "christianspirit.org.za",
    "digitalmarketingguide.co",
    "firefromthebooth.com",
    "if-only-mowgli.com",
    "invadingforcesabuja.family.blog",
    "kin.poetry.blog",
    "kingdomofashes.net",
    "mendozafrazier8.law.blog",
    "mizukichimi.blog",
    "motherclucker.co.uk",
    "myriadvoices.com",
    "nammosltd.ca",
    "nativitypuppets.org",
    "owlistblog.ca",
    "sleeplessbeastie.eu",
    "soniaboulimiquedeslivres.fr",
    "tls.automattic.com",
    "waters86mcdowell.health.blog",
    "www.apkgo.game.blog",
    "www.ashby80grady.law.blog",
    "www.burhanabdullahi.com",
    "www.cecilesavelli.com",
    "www.christianspirit.org.za",
    "www.digitalmarketingguide.co",
    "www.dwdeeare.com",
    "www.if-only-mowgli.com",
    "www.invadingforcesabuja.family.blog",
    "www.kingdomnowseries.com",
    "www.kingdomofashes.net",
    "www.liefcapital.com",
    "www.lineage.poetry.blog",
    "www.mizukichimi.blog",
    "www.motherclucker.co.uk",
    "www.myriadvoices.com",
    "www.nammosltd.ca",
    "www.nativitypuppets.org",
    "www.owlistblog.ca",
    "www.sleeplessbeastie.eu",
    "www.soniaboulimiquedeslivres.fr"
  ],
  "not_before": "2022-08-05T10:07:29Z",
  "not_after": "2022-11-03T10:07:28Z",
  "sigalg": "SHA256WithRSA",
  "authority_key_id": "14:2E:B3:17:B7:58:56:CB:AE:50:9:40:E6:1F:AF:9D:8B:14:C2:C6",
  "subject_key_id": "27:D9:DD:FE:32:13:85:2B:DF:32:98:CB:59:75:C9:4F:95:77:A6:AE",
  "pem": "-----BEGIN CERTIFICATE-----\nMIIJEjCCB/qgAwIBAgISA8jdpZa9wcnqk5IaV0CZh6xDMA0GCSqGSIb3DQEBCwUA\nMDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD\nEwJSMzAeFw0yMjA4MDUxMDA3MjlaFw0yMjExMDMxMDA3MjhaMB0xGzAZBgNVBAMT\nEnRscy5hdXRvbWF0dGljLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC\nggEBAPTmhQgOQ02OunOYKpLdMVxO2j2w9komLb4oOcGovD9aYhOJYCxynCUAKdqS\n+KvoZFPV2PHT/XHAr3Sg9OWhXNtxhIIc+kfXXQa/dDI3EyCwiasBZhE2G6dcLnyT\nvav05aLPC6ASr7A4wKgr5oO+6RgpOv98RfH7ctGCW3/hMcVME010eONNpTS0skuO\n1kQMur4uDY1BzcZwhZVADd/IceqFFGWagsft5Ek+1zk8AyAlJHPAG7nionOLQtFY\n4Yry5NyZdKxPIGgy5zzy82ZXHQJNvQc5ZPh8UhkSZFJtiGbmg7cVYyFrBYMlgLqh\nT7UfEBILKpQhKxbIEBvILbWn5sMCAwEAAaOCBjUwggYxMA4GA1UdDwEB/wQEAwIF\noDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAd\nBgNVHQ4EFgQUJ9nd/jIThSvfMpjLWXXJT5V3pq4wHwYDVR0jBBgwFoAUFC6zF7dY\nVsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRw\nOi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNy\nLm9yZy8wggQCBgNVHREEggP5MIID9YIPYXBrZ28uZ2FtZS5ibG9nghNiaGhwbWFj\nY291bnRpbmcuY29tghRibG9nLmtpbmVzaXMtY2VtLmNvbYITYnVyaGFuYWJkdWxs\nYWhpLmNvbYIRY2VjaWxlc2F2ZWxsaS5jb22CFmNocmlzdGlhbnNwaXJpdC5vcmcu\nemGCGGRpZ2l0YWxtYXJrZXRpbmdndWlkZS5jb4IUZmlyZWZyb210aGVib290aC5j\nb22CEmlmLW9ubHktbW93Z2xpLmNvbYIfaW52YWRpbmdmb3JjZXNhYnVqYS5mYW1p\nbHkuYmxvZ4IPa2luLnBvZXRyeS5ibG9nghJraW5nZG9tb2Zhc2hlcy5uZXSCGG1l\nbmRvemFmcmF6aWVyOC5sYXcuYmxvZ4IQbWl6dWtpY2hpbWkuYmxvZ4ITbW90aGVy\nY2x1Y2tlci5jby51a4IQbXlyaWFkdm9pY2VzLmNvbYIMbmFtbW9zbHRkLmNhghNu\nYXRpdml0eXB1cHBldHMub3Jngg1vd2xpc3RibG9nLmNhghNzbGVlcGxlc3NiZWFz\ndGllLmV1ghtzb25pYWJvdWxpbWlxdWVkZXNsaXZyZXMuZnKCEnRscy5hdXRvbWF0\ndGljLmNvbYIcd2F0ZXJzODZtY2Rvd2VsbC5oZWFsdGguYmxvZ4ITd3d3LmFwa2dv\nLmdhbWUuYmxvZ4IZd3d3LmFzaGJ5ODBncmFkeS5sYXcuYmxvZ4IXd3d3LmJ1cmhh\nbmFiZHVsbGFoaS5jb22CFXd3dy5jZWNpbGVzYXZlbGxpLmNvbYIad3d3LmNocmlz\ndGlhbnNwaXJpdC5vcmcuemGCHHd3dy5kaWdpdGFsbWFya2V0aW5nZ3VpZGUuY2+C\nEHd3dy5kd2RlZWFyZS5jb22CFnd3dy5pZi1vbmx5LW1vd2dsaS5jb22CI3d3dy5p\nbnZhZGluZ2ZvcmNlc2FidWphLmZhbWlseS5ibG9nghh3d3cua2luZ2RvbW5vd3Nl\ncmllcy5jb22CFnd3dy5raW5nZG9tb2Zhc2hlcy5uZXSCE3d3dy5saWVmY2FwaXRh\nbC5jb22CF3d3dy5saW5lYWdlLnBvZXRyeS5ibG9nghR3d3cubWl6dWtpY2hpbWku\nYmxvZ4IXd3d3Lm1vdGhlcmNsdWNrZXIuY28udWuCFHd3dy5teXJpYWR2b2ljZXMu\nY29tghB3d3cubmFtbW9zbHRkLmNhghd3d3cubmF0aXZpdHlwdXBwZXRzLm9yZ4IR\nd3d3Lm93bGlzdGJsb2cuY2GCF3d3dy5zbGVlcGxlc3NiZWFzdGllLmV1gh93d3cu\nc29uaWFib3VsaW1pcXVlZGVzbGl2cmVzLmZyMEwGA1UdIARFMEMwCAYGZ4EMAQIB\nMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2Vu\nY3J5cHQub3JnMIIBBQYKKwYBBAHWeQIEAgSB9gSB8wDxAHYAQcjKsd8iRkoQxqE6\nCUKHXk4xixsD6+tLx2jwkGKWBvYAAAGCbbBXhwAABAMARzBFAiEA3AzaKZAxrZ20\n4TH/KjJwfV7vGbmKM0O+8yyZOny+WYwCIHK0CDR++LLVz41ZwAL9p+qoiBW3UgKo\nOZsH33cs4UBbAHcARqVV63X6kSAwtaKJafTzfREsQXS+/Um4havy/HD+bUcAAAGC\nbbBXqgAABAMASDBGAiEA4sfKrVOGEtGT3AjqoE11Fn1YAkCvrMd9KBytGsX+BPAC\nIQD24AIhMztCJ1EIE+cwbTx6A9GvhicmFYbW1bJFf8pBKDANBgkqhkiG9w0BAQsF\nAAOCAQEAIQ4AIxbq5cMByo+k/e6r2z5hFPcwnAcjzYzyunjuEnEFYFnpT5NLhdR8\n/2OKQPxfB5QTdvBYl+Yu/RNE2MX62AWtLGsOUych/rD3MeUTP3I2wILrQzHiZOLQ\na1DtMGgbMVlg6SD2KJTU3PbuZ4c+QtEYC9AO7hWlFhPMLLoP+Ip5zda+nxERhsre\nqrGZBKk9mO9rhUjH4X2nNwYu9PUX1QnYil55iiiA5l/h1H/EH3HBaJH4JimGQyNR\n1yuQlyjSb72h7YwHFCCQOG+c5r284ot9uS/M8RTG9+hTEq0rVPQL4wGeTrdYCO16\nGXhWTtPzUSPEfBpxAdYcMkHcH3YfQQ==\n-----END CERTIFICATE-----\n"
}

Display certificate expiration date for specific host.

$ cfssl certinfo -domain sleeplessbeastie.eu | jq --raw-output .not_after
2022-11-03T10:07:28Z
ko-fi