Sign in Get started
Free tool · no account needed

Check your TLS certificate’s health — for free

Paste a hostname and Nightlamp inspects its TLS certificate on the spot: how many days until it expires, whether the chain is trusted and the hostname matches, how strong the key is, and which TLS version the server negotiated. You’ll know — in plain English — whether anything needs fixing before it breaks.

We read only the public certificate served on the port — never a private key. Generous daily limit per network.

what we check

The four things that quietly break HTTPS

1 · Expiry

The single most common preventable outage. We show the exact expiry date and how many days are left, so a lapsing cert never surprises you again.

2 · Chain & hostname

A missing intermediate or a cert served for the wrong hostname makes browsers throw a security warning. We validate the chain against trusted roots and check the hostname matches.

3 · Weak keys

We flag RSA keys below 2048 bits and EC keys below 256 bits — the kind of key that passes today but fails a security review tomorrow.

4 · Outdated TLS

Anything negotiating below TLS 1.2 is flagged. Old TLS versions are deprecated, increasingly refused by clients, and a compliance red flag.

faq

Questions, answered straight

What does the TLS checker actually check?
It opens a TLS connection to the host you enter (port 443 by default) and reports five things from the certificate it presents: how many days until it expires, whether the chain is trusted and the hostname matches, the public-key type and size, and the TLS version the server negotiated. You get a pass/attention verdict plus a plain-English list of anything that needs fixing.
What does it NOT check?
It only reads public certificate material — never a private key. It inspects the certificate served on the port you give it, so it won't tell you about other hostnames or internal endpoints. It also does not currently check OCSP/CRL revocation or Certificate Transparency logs — those are honest limits, not silent gaps. It will never test private or internal addresses.
How is this different from uptime monitoring?
An uptime check tells you the page responded right now. It says nothing about the certificate that will expire next month, the weak key, or the outdated TLS version quietly waiting to break. This checker runs that inspection once; Nightlamp runs it continuously on the HTTPS monitors you already have and flags problems before they cause an outage.
Is it free, and do you store anything?
Completely free, no signup. We log the host you checked for abuse protection and rate limiting, but we don't store the certificate or sell anything. There's a generous daily limit per network.
What counts as a weak key or outdated TLS?
We flag RSA keys below 2048 bits and elliptic-curve (EC) keys below 256 bits as weak, and we flag any server that negotiates a version below TLS 1.2 as outdated. These are the modern baselines browsers and security scanners expect.