API Reference

Technical reference for certificate data structures, hash formats, and export schemas.

Certificate Information

When SSLens fetches a certificate, it extracts and displays the following information:

Subject Fields

Field Abbreviation Description Example
Common Name CN The domain name the certificate is issued for github.com
Organization O Company or organization name GitHub, Inc.
Organizational Unit OU Department within organization Engineering
Locality L City or locality San Francisco
State ST State or province California
Country C Two-letter country code US

Validity Information

TypeScript Interface 
interface CertificateValidity {
  notBefore: Date;      // Certificate valid from this date
  notAfter: Date;       // Certificate expires on this date
  daysRemaining: number; // Days until expiration
  isExpired: boolean;   // Whether certificate is expired
  status: 'valid' | 'warning' | 'expired'; // Visual status
}

Public Key Information

TypeScript Interface 
interface PublicKeyInfo {
  algorithm: string;    // RSA, ECDSA, Ed25519, etc.
  keySize: number;      // Key size in bits (e.g., 2048, 4096)
  curve?: string;       // For ECDSA: P-256, P-384, P-521
  publicKeyPem: string; // PEM-encoded public key
  publicKeyDer: Buffer; // DER-encoded public key bytes
}

Extensions

SSLens displays the following X.509 extensions when present:

  • Subject Alternative Names (SANs) - Additional domain names and IPs covered
  • Key Usage - digitalSignature, keyEncipherment, etc.
  • Extended Key Usage - serverAuth, clientAuth, codeSigning
  • Basic Constraints - Whether cert is a CA, path length
  • Authority Key Identifier - Identifies the issuing CA
  • Subject Key Identifier - Identifies this certificate's key
  • CRL Distribution Points - Where to check for revocation
  • OCSP Responder - Online revocation checking URL

Certificate Chain

The certificate chain represents the trust hierarchy from the leaf certificate to the root CA.

TypeScript Interface 
interface CertificateChain {
  certificates: Certificate[];
  isComplete: boolean;    // All intermediates present
  rootTrusted: boolean;   // Root CA is in trust store
  chainLength: number;    // Number of certificates in chain
}

interface Certificate {
  subject: SubjectInfo;
  issuer: SubjectInfo;
  serialNumber: string;
  version: number;        // X.509 version (usually 3)
  signatureAlgorithm: string;
  validity: CertificateValidity;
  publicKey: PublicKeyInfo;
  fingerprints: CertificateFingerprints;
  extensions: CertificateExtensions;
  pem: string;           // PEM-encoded certificate
  der: Buffer;           // DER-encoded certificate bytes
}

Chain Order

Certificates in the chain are ordered from leaf to root:

  1. Index 0 - Leaf certificate (the domain's certificate)
  2. Index 1...n-1 - Intermediate CA certificates
  3. Index n - Root CA certificate (if available)

Hash Formats

SSLens calculates and displays multiple hash formats for different use cases.

Certificate Fingerprints

TypeScript Interface 
interface CertificateFingerprints {
  sha256: string;  // SHA-256 hash of DER certificate (hex)
  sha1: string;    // SHA-1 hash of DER certificate (hex)
  md5: string;     // MD5 hash of DER certificate (hex)
}

Fingerprint Format

Fingerprints are typically displayed as colon-separated hex bytes:

Example 
SHA-256: 4E:D5:5A:3C:...:8B:2F:6C:9D
SHA-1:   A3:C2:4B:...:F1:8E
MD5:     E2:3A:...:B7

Public Key Hash (For Pinning)

Used for SSL certificate pinning. This is the SHA-256 hash of the public key, Base64 encoded.

Algorithm 
1. Extract public key from certificate (DER format)
2. Calculate SHA-256 hash of the public key bytes
3. Encode the hash as Base64

Result: "WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="

SPKI Hash

Subject Public Key Info hash. Similar to public key hash but includes the algorithm identifier.

Algorithm 
1. Extract SubjectPublicKeyInfo from certificate (includes algorithm)
2. Calculate SHA-256 hash of the SPKI bytes
3. Encode the hash as Base64

Result: "jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0="
💡

Which Hash to Use?

For SSL pinning, use the Public Key Hash (SHA-256 Base64) format. This is the most widely supported format across Android, iOS, and other platforms.

Export Formats

PEM Format

Base64-encoded ASCII format, the most common certificate format.

PEM Certificate 
-----BEGIN CERTIFICATE-----
MIIFjTCCA3WgAwIBAgIQZH8...
...base64 encoded data...
-----END CERTIFICATE-----

DER Format

Binary format, used in Java and Windows environments.

DER files contain raw binary data and cannot be displayed as text. They are typically saved with .der or .cer extensions.

Certificate Chain Export

When exporting a chain, certificates are concatenated in PEM format:

PEM Chain 
-----BEGIN CERTIFICATE-----
[Leaf Certificate]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[Intermediate CA Certificate]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[Root CA Certificate]
-----END CERTIFICATE-----

Domain Schema

The schema used for saving and importing domains:

TypeScript Interface 
interface SavedDomain {
  hostname: string;      // Domain hostname (required)
  port: number;          // Port number, default 443
  alias?: string;        // Friendly display name
  lastChecked?: string;  // ISO 8601 timestamp
  lastStatus?: 'valid' | 'warning' | 'expired' | 'error';
}

interface DomainExport {
  version: string;       // SSLens version
  exportedAt: string;    // ISO 8601 timestamp
  domains: SavedDomain[];
}

Example Export File

JSON 
{
  "version": "1.0.1",
  "exportedAt": "2026-01-25T10:30:00.000Z",
  "domains": [
    {
      "hostname": "api.github.com",
      "port": 443,
      "alias": "GitHub API",
      "lastChecked": "2026-01-25T10:25:00.000Z",
      "lastStatus": "valid"
    },
    {
      "hostname": "stripe.com",
      "port": 443,
      "alias": "Stripe Production",
      "lastChecked": "2026-01-25T10:25:00.000Z",
      "lastStatus": "valid"
    },
    {
      "hostname": "internal.company.com",
      "port": 8443,
      "alias": "Internal API"
    }
  ]
}

Error Codes

Common errors you might encounter when using SSLens:

Error Description Solution
ECONNREFUSED Connection refused by server Check if server is running and port is correct
ENOTFOUND DNS lookup failed Verify domain name is spelled correctly
ETIMEDOUT Connection timed out Increase timeout in settings, check network
ECONNRESET Connection reset by peer Server may have closed connection, try again
UNABLE_TO_GET_ISSUER_CERT Missing intermediate certificate Server has incomplete chain
SELF_SIGNED_CERT_IN_CHAIN Self-signed certificate detected Certificate can still be inspected
CERT_HAS_EXPIRED Certificate has expired Certificate can still be inspected
ERR_TLS_CERT_ALTNAME_INVALID Hostname doesn't match certificate Check SANs in certificate

Self-Signed & Expired Certificates

SSLens can inspect certificates even if they are self-signed or expired. You'll see a warning, but the certificate details will still be displayed.