SSL/TLS: What Actually Matters in 2026
Most TLS audits are mountains of detail when, for production sites, the key questions are simple: does the certificate match the hostname, is it issued by a CA the browser trusts, is it within its validity window, is the key strong enough, and is the negotiated protocol modern? This tool answers each one and shows you the chain it inspected.
Protocol versions
TLS 1.3 (2018) is the gold standard — fewer round trips, only modern ciphers. TLS 1.2 is acceptable. Anything older (1.0, 1.1, SSL 3) should be disabled — and if your server even negotiates them, you have a backwards-compatibility problem.
Hostname matching
Modern browsers ignore the certificate’s Common Name and check the Subject Alternative Names instead. We list every DNS name on the SAN list and explicitly verify the requested host matches one of them, including wildcard rules.
Renewal cadence
Most public CAs now issue certificates valid for ≤ 13 months and Let’s Encrypt issues 90-day certs. Set up automatic renewal and monitor expiry dates from outside the system that owns them.