Inspect a site's TLS certificate and expiry
DNS & Records
DNS Lookup Every DNS record for any domain A Record Lookup IPv4 addresses for a domain AAAA Record Lookup IPv6 addresses for a domain MX Lookup Mail servers for a domain NS Lookup Authoritative name servers TXT Lookup TXT records, SPF, verification CNAME Lookup Canonical name (alias) records SOA Lookup Start of Authority record SRV Lookup Service location records CAA Lookup Which CAs may issue certificates Reverse DNS (PTR) IP address to hostname DNSSEC Check Is the domain signed and validated? DNS Health Check A full delegation & DNS report cardEmail Deliverability
SPF Check Validate your Sender Policy Framework record DMARC Check Inspect and grade your DMARC policy DKIM Check Find and validate your DKIM public key Blacklist Check Check an IP against email blocklists (DNSBLs) SMTP Test Connect to a mail server and check STARTTLS MTA-STS Check Enforced TLS policy for inbound mail BIMI Check Brand logo record for email TLS-RPT Check SMTP TLS reporting policyNetwork & Web
SSL Certificate Check Inspect a site's TLS certificate and expiry HTTP Header Check Inspect response headers, redirects and security Ping (TCP) Reachability and latency over TCP Port Check Which common ports are openDomain
WHOIS Lookup Registration data for domains, IPs and ASNsA site's TLS certificate proves its identity and encrypts traffic between the browser and server. An expired, self-signed or mismatched certificate breaks trust and triggers browser warnings that drive visitors away. IPeek connects directly to the host, reads the live certificate, and reports its issuer, validity window, days remaining, the names it covers and any problems it finds.
During the TLS handshake the server presents a certificate signed by a trusted Certificate Authority. The browser checks that the certificate's name matches the hostname, that the signing chain leads to a root it trusts, and that the current date falls inside the validity window. If all three pass, the connection is encrypted and the padlock appears. "SSL" is the common name people still use, but the actual protocol has been TLS for years. IPeek performs this same handshake, then reports what the server returned instead of just rendering a padlock.
Start with days remaining: anything under 30 means renew soon, and a negative value means the certificate is already expired and visitors see warnings now. Check the issuer to confirm it is a real CA, not a self-signed placeholder. The Subject Alternative Name (SAN) list shows every hostname the certificate covers, so a certificate for example.com that omits www.example.com will fail on that variant. Finally, confirm the chain is complete; a missing intermediate certificate validates in some clients but breaks in others.
The most frequent failure is simple expiry, fixed by renewing and reloading the web server. A name mismatch means the hostname is not in the SAN list, so reissue with the correct names or add a wildcard. "Self-signed" or "untrusted issuer" errors mean the certificate chain does not reach a trusted root, usually because the intermediate certificate was not installed alongside the leaf. After any fix, recheck with IPeek to confirm the live certificate served on the wire matches what you intended, since stale certificates often linger in load balancers and CDNs.
Run a check before launch and whenever you migrate hosting, change CDNs, or rotate certificates, since these are the moments mismatches and missing chains appear. Set a reminder ahead of the expiry date, especially for certificates not on automated renewal. It is also the fastest way to diagnose a visitor reporting a browser security warning: the check tells you immediately whether the problem is expiry, a name mismatch, or a broken chain, so you can act instead of guessing.
They refer to the same job, but TLS is the current protocol. SSL was the original encryption standard; it was superseded by TLS, and every modern "SSL certificate" actually uses TLS. The name SSL stuck because it is familiar, so tools and vendors still say SSL while the connection itself negotiates TLS 1.2 or 1.3.
Check the certificate's validity window, which has a fixed "not after" date. IPeek reads the live certificate and reports days remaining, so you see at a glance whether it is current. Renew before that date; certificates issued by Let's Encrypt last 90 days, while commercial certificates often run one year.
An untrusted warning usually means the signing chain does not reach a root your browser recognizes. The common causes are a self-signed certificate, a missing intermediate certificate, or an expired certificate. Install the full chain (leaf plus intermediates) on the server, or reissue from a trusted CA, then recheck that the served certificate validates cleanly.
Subject Alternative Names are the list of hostnames a single certificate is valid for. A certificate is only trusted for names in its SAN list, so example.com and www.example.com must both appear, or one variant will throw a name-mismatch error. Wildcard entries like *.example.com cover all subdomains at one level.
Yes. IPeek connects directly to the host over TLS, reads the certificate the server presents, and reports the issuer, dates, SAN names and chain without you opening the site in a browser. This is useful for checking a host before launch, behind a redirect, or when you only have the domain and want to verify it serves a valid certificate.