SSL Certificate Check API
/api/ssl-check?host={domain}
No Auth RequiredWhat It Does
Give it a domain name and it tells you everything useful about the SSL certificate. Who issued it, when it expires, how many days you have left, and whether you should be sweating about renewal. It pulls this from Certificate Transparency logs, so it sees certs that have actually been issued, not just what’s currently installed on the server.
Think of it as your SSL certificate’s annual checkup, except you can do it whenever you want.
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
host | string | Yes | The domain name to check. Works with or without https://. So example.com and https://example.com both work fine. Don't overthink it. |
Response Fields
| Field | Type | Description |
|---|---|---|
domain | string | The domain you asked about. Cleaned up, no protocol prefix. |
issuer | string | The organization that issued the certificate. Usually Let's Encrypt, Cloudflare, DigiCert, or one of those other CAs. |
commonName | string | The Common Name on the cert. Often the domain itself or a wildcard like *.example.com. |
validFrom | string | When the certificate became valid. ISO 8601 format. |
validTo | string | When the certificate expires. The date that keeps sysadmins up at night. |
daysLeft | integer | Number of days until expiry. Negative means it already expired. Yikes. |
expired | boolean | true if the cert has already expired. Time to fix that. |
expiringSoon | boolean | true if there are 30 or fewer days left. A gentle nudge. |
sans | array | Subject Alternative Names on the certificate. These are all the domains the cert covers. Capped at 20 entries to keep things tidy. |
totalCerts | integer | Total number of certificates found in CT logs for this domain. The response shows the most recent one. |
Example Request
curl
curl "https://whatismyip.technology/api/ssl-check?host=github.com"
Python
import requests
response = requests.get("https://whatismyip.technology/api/ssl-check", params={
"host": "github.com"
})
cert = response.json()
print(f"Issuer: {cert['issuer']}")
print(f"Days left: {cert['daysLeft']}")
if cert["expiringSoon"]:
print("Heads up, this cert is expiring soon!")
JavaScript
const response = await fetch(
"https://whatismyip.technology/api/ssl-check?host=github.com"
);
const cert = await response.json();
console.log(`Certificate for ${cert.domain}`);
console.log(`Issued by: ${cert.issuer}`);
console.log(`Expires: ${cert.validTo} (${cert.daysLeft} days left)`);
if (cert.expired) {
console.log("This certificate is expired. That's bad.");
}
Example Response
{
"domain": "github.com",
"issuer": "Sectigo Limited",
"commonName": "github.com",
"validFrom": "2024-03-07T00:00:00.000Z",
"validTo": "2025-03-07T23:59:59.000Z",
"daysLeft": 187,
"expired": false,
"expiringSoon": false,
"sans": [
"github.com",
"www.github.com"
],
"totalCerts": 42
}
Data Source
This API pulls certificate information from crt.sh, which is a public Certificate Transparency log search engine. This means it shows certificates that have been logged by Certificate Authorities, not necessarily what’s currently installed on a server. In practice, these are almost always the same thing. But if someone just issued a new cert five minutes ago, it might not show up here yet.
Caching
Responses are cached for 1 hour (s-maxage=3600). SSL certificates don’t change that often, so this keeps things fast without being stale. If you just renewed a cert and want to see the update, wait an hour or so.
CORS
Wide open. Call it from any origin. Your browser JavaScript will work just fine.
Timeout
The API has an 8 second timeout for the crt.sh lookup. Certificate Transparency APIs can sometimes be slow, especially for domains with a lot of historical certificates. If it takes longer than 8 seconds, you’ll get a 500 error.
Error Handling
- 400 Bad Request: You didn’t provide the
hostparameter. Every lookup needs a domain. - 404 Not Found: No certificates found for that domain. Either the domain doesn’t have SSL (rare these days), or you might have a typo.
- 500 Internal Server Error: The crt.sh lookup failed. Could be a timeout, could be their service is having a moment. Try again in a bit.
Good Things to Know
The SAN list is capped at 20: Some certificates (especially Cloudflare ones) can have hundreds of SANs. The API returns up to 20 to keep the response reasonable. The totalCerts field still tells you the full count.
Wildcard certificates: If the domain uses a wildcard cert (like *.example.com), you’ll see that in the commonName and sans fields. Totally normal.
Multiple certificates: Most domains have had several certificates over their lifetime. The API returns info about the most recent one, which is almost always the active one.
Pre and post certificates: CT logs contain both precertificates (logged before issuance) and final certificates. The API filters for the most recent, so you get the right data without worrying about duplicates.
Monitoring tip: If you’re building a cert expiry monitor, check expiringSoon and daysLeft. Set up alerts when daysLeft drops below 14. Or 7 if you like living dangerously.