How to Read the SSL Tab
The SSL tab shows everything about a domain's certificate and TLS configuration fetched via a real TLS handshake. Here is what each field means.
How to Read the SSL Tab
The SSL tab displays data extracted from a real TLS connection to your domain on port 443 — the same handshake a browser performs. ElasticDomain uses Node.js's native TLS module, so what you see here is exactly what browsers and clients see.
Certificate Details
Subject
The primary domain the certificate was issued for (Common Name / CN). For wildcard certificates this shows *.example.com.
Subject Alternative Names (SANs)
All domains covered by the certificate. A SAN list of example.com, www.example.com means both are protected. If a subdomain you serve is missing from the SANs, visitors get a certificate mismatch error for that subdomain.
Issuer
The Certificate Authority that issued the certificate and the issuing organization. Common issuers:
- Let's Encrypt — free, auto-renewing, 90-day validity
- DigiCert — commercial CA, often used by enterprises
- Sectigo (formerly Comodo) — commercial CA
- ZeroSSL — free alternative to Let's Encrypt
Validity Dates
Valid From and Valid To — the certificate's active window. Days Remaining is calculated at scan time and drives the SSL expiry alert thresholds.
Serial Number
Unique identifier assigned by the CA. Changes with every new certificate issuance — useful for confirming a certificate was renewed.
SHA-256 Fingerprint
Cryptographic hash of the certificate. If this changes between scans, the SSL Certificate Changed alert fires. Use this to verify you are looking at the same certificate across scans.
Cryptographic Details
Key Algorithm and Size
- RSA 2048 — standard, acceptable
- RSA 4096 — stronger but slightly slower
- ECDSA P-256 — modern, faster, and equally strong as RSA 2048 — recommended
- RSA 1024 — too weak, critical finding
Signature Algorithm
- SHA-256 with RSA or SHA-256 with ECDSA — current standard
- SHA-1 — deprecated since 2017, will cause browser warnings
TLS Protocol Version
- TLS 1.3 — recommended
- TLS 1.2 — acceptable
- TLS 1.1 or lower — deprecated, should be disabled
Cipher Suite
The encryption algorithm negotiated for the connection. Look for ECDHE (forward secrecy) and AES-GCM or ChaCha20 (modern AEAD ciphers). Avoid RC4 or 3DES.
HTTPS Configuration
HTTPS Enforced
Whether HTTP (port 80) redirects to HTTPS. If false, visitors on HTTP get an unencrypted connection without being redirected.
HSTS
Whether the Strict-Transport-Security header is present. HSTS tells browsers to only connect over HTTPS for the duration of max-age.
Chain Valid
Whether the full certificate chain (leaf → intermediate → root) is trusted. A broken chain means the server is not sending intermediate certificates — this needs to be fixed in server configuration.
What to Act On
| Finding | Action |
|---|---|
| Days remaining < 30 | Renew the certificate |
| Chain invalid | Fix intermediate certificate installation in server config |
| SHA-1 signature | Reissue certificate (SHA-256 is required) |
| Key size < 2048 | Reissue with RSA 2048+ or ECDSA P-256 |
| HSTS missing | Add Strict-Transport-Security header |
| TLS 1.0 or 1.1 enabled | Disable in server configuration |