Certificate Inspection
SSLens provides comprehensive SSL/TLS certificate inspection capabilities. Fetch and analyze certificates from any domain with full details.
Subject Fields
The extension extracts and displays key identifying information from the certificate's subject:
| Field | Abbreviation | Description | Example |
|---|---|---|---|
| Common Name | CN |
The domain name the certificate is issued for | github.com |
| Organization | O |
Company or organization name | GitHub, Inc. |
| Organizational Unit | OU |
Department within organization | Engineering |
| Locality | L |
City or locality | San Francisco |
| State | ST |
State or province | California |
| Country | C |
Two-letter country code | US |
What You Can Inspect
- Subject Information - Common Name (CN), Organization (O), Country (C), and other distinguished name fields
- Issuer Details - Certificate Authority information including chain hierarchy
- Validity Period - Not Before and Not After dates with remaining days calculation
- Serial Number - Unique certificate identifier
- Signature Algorithm - SHA-256, SHA-384, RSA, ECDSA, etc.
- Key Information - Public key algorithm, key size, and actual key data
- Extensions - Subject Alternative Names (SANs), Key Usage, Extended Key Usage, etc.
Custom Port Support
SSLens supports fetching certificates from any port, not just the default HTTPS port 443:
# Default port 443
example.com
# Custom ports
example.com:8443
internal-api.company.com:9443
localhost:3443SNI Support
Server Name Indication (SNI) is fully supported, allowing you to fetch the correct certificate from servers hosting multiple domains.
Certificate Chain
View the complete certificate chain from the leaf certificate to the root Certificate Authority.
Chain Information
- Leaf Certificate - The domain's own certificate
- Intermediate Certificates - CA certificates that sign the leaf
- Root Certificate - The trusted root CA (from system trust store)
For each certificate in the chain, you can view:
- Subject and Issuer details
- Validity dates
- Fingerprints (SHA-256, SHA-1)
- Public key information
Why Chain Matters
A complete certificate chain is essential for proper SSL/TLS validation. Missing intermediate certificates cause trust issues in many applications.
Export Options
SSLens provides comprehensive export options for individual certificates and entire certificate chains.
Certificate Formats
| Format | Extension | Description | Use Case |
|---|---|---|---|
| PEM | .pem, .crt | Base64-encoded ASCII format | Web servers, most applications |
| DER | .der, .cer | Binary format | Java applications, Windows |
Chain Export Options
- Export All (PEM) - Export entire certificate chain as a single PEM bundle with identifying headers for each certificate
- Export All (DER) - Export all certificates as separate DER files to a folder
- Individual Certificate Export - Hover over any certificate in the chain view to reveal PEM/DER export buttons
PEM Bundle Format
The PEM bundle includes helpful comments identifying each certificate (Leaf, Intermediate, Root) and their issuers for easy identification.
Hash Exports
- SHA-256 Fingerprint - Standard certificate fingerprint
- SHA-1 Fingerprint - Legacy fingerprint (not recommended for security)
- MD5 Fingerprint - Legacy fingerprint (not recommended)
- Public Key Hash (SHA-256 Base64) - For certificate pinning
- SPKI Hash - Subject Public Key Info hash for modern pinning
SSL Pinning Code Generation
Generate ready-to-use SSL pinning code for multiple platforms with a single click.
Supported Platforms
- Android - OkHttp, Retrofit with Kotlin/Java
- iOS - URLSession, Alamofire with Swift
- Flutter - Dio, http package with Dart
- React Native - SSL Pinning library
- Node.js - HTTPS module
- Python - Requests library
See the SSL Pinning Guide for detailed implementation examples.
Expiry Monitoring
SSLens provides visual indicators and alerts for certificate expiration.
Visual Status Indicators
- Green - Certificate is valid with more than 30 days remaining
- Yellow - Certificate expires within 30 days (warning)
- Red - Certificate is expired or expires within 7 days
Batch Expiry Check
Check expiry status for all your saved domains at once:
- Open Command Palette (
Cmd+Shift+P) - Run "SSLens: Check Certificate Expiry"
- View a summary of all domains with their expiry status
Certificate Expiry
Expired certificates will cause connection failures and security warnings. Monitor your certificates and renew them before they expire.
Domain Management
Organize and manage your frequently accessed domains for quick certificate access.
Save Domains
Add domains to your favorites for quick access:
- Use "SSLens: Save Domain to Favorites" command
- Click the ⭐ icon in the sidebar
- Right-click after fetching a certificate and select "Save to Favorites"
Domain Aliases
Assign friendly names to domains for easier identification:
- Right-click a saved domain in the sidebar
- Select "Edit Domain Alias"
- Enter a descriptive name (e.g., "Production API", "Staging Server")
Import/Export Domains
Share your domain lists between machines or team members:
- Export - Run "SSLens: Export Saved Domains" to save as JSON
- Import - Run "SSLens: Import Saved Domains" to load from JSON
{
"domains": [
{
"hostname": "api.github.com",
"port": 443,
"alias": "GitHub API"
},
{
"hostname": "stripe.com",
"port": 443,
"alias": "Stripe Production"
}
],
"exportedAt": "2026-01-25T10:30:00Z",
"version": "1.1.0"
}Certificate Comparison
Compare certificates between different environments to identify changes or discrepancies.
Use Cases
- Compare staging vs production certificates
- Verify certificate renewal by comparing old and new
- Check consistency across multiple servers
- Audit certificate changes over time
How to Compare
- Run "SSLens: Compare Two Certificates"
- Enter the first domain (e.g.,
staging.example.com) - Enter the second domain (e.g.,
example.com) - View the side-by-side comparison
The comparison shows differences in:
- Subject and Issuer
- Validity dates
- Serial numbers
- Public keys and fingerprints
- Extensions and SANs
Chain Validation
Validate the complete certificate chain to ensure proper SSL/TLS configuration.
Validation Checks
- Chain Completeness - All intermediate certificates are present
- Signature Verification - Each certificate is properly signed by its issuer
- Expiry Validation - No certificates in the chain are expired
- Trust Verification - Chain terminates at a trusted root CA
How to Validate
- Fetch a certificate from any domain
- Run "SSLens: Validate Certificate Chain"
- View the validation results
Local Certificate Files
Inspect certificates stored locally on your machine with full X.509 parsing and chain support.
Supported File Formats
.pem- PEM-encoded certificates (supports multiple certificates in one file).crt- Certificate files.cer- Certificate files (DER or PEM).der- DER-encoded binary certificates
Certificate Chain Files
SSLens now fully supports PEM files containing multiple certificates (certificate chains). When you import a chain file:
- All certificates in the chain are parsed
- Full details are extracted using proper X.509 parsing
- The chain view displays all certificates with their relationships
- Export and pinning features work just like fetched certificates
How to Inspect Local Files
- Run "SSLens: Inspect Local Certificate File" or click the Import button in the sidebar
- Select a certificate file from the file picker
- View full certificate details including Subject, Issuer, Validity, Key Info, SANs, and more
Parsed Information
Local certificates now display the same comprehensive details as fetched certificates:
- Subject & Issuer - Full distinguished name (CN, O, OU, C, ST, L)
- Validity Period - Not Before, Not After, Days Until Expiry
- Public Key - Algorithm (RSA/ECDSA), key size, curve info
- Fingerprints - SHA-256, SHA-1, MD5
- Pinning Hashes - Public Key Hash, SPKI Hash
- Subject Alternative Names - All SANs from the certificate
Self-Signed Certificates
SSLens can inspect self-signed certificates and certificates from internal CAs that aren't in public trust stores.