SSL Chain & Cipher Suite Visualizer

Two views from one scan โ€” certificate trust chain and cipher suite strength. Flags missing intermediates, weak ciphers, and TLS version issues with exact fix blocks.

Enter a domain to visualize its SSL certificate trust chain.

Leaf certificate โ†’ Intermediate CA โ†’ Root CA

Paste openssl output โ€” run this in your terminal:

openssl s_client -connect yourdomain.com:443 </dev/null 2>&1 | head -30
Paste your openssl output above to analyse your cipher suite.

Checks TLS version ยท cipher strength ยท key size ยท PFS ยท HSTS

See also: SSL chain guide  ·  Redirect Chain Fixer  ·  TLS cipher suite guide

Visualizes your SSL certificate trust chain and analyses your TLS cipher suite. Certificate chain tab shows Leaf, Intermediate CA, and Root CA. Cipher suite tab scores your TLS configuration 0-100, flagging weak ciphers, TLS 1.0/1.1, missing Perfect Forward Secrecy, and TLS compression.

You might also need
🔒HSTS Preload Checker
Check preload list status and HSTS requirements
🔒HeadersFixer
Scan security headers and get stack-specific fixes
📋Pre-Launch Checklist
20 HTTP checks before you ship
Done with this tool?
20 HTTP checks before you ship โ€” security, CORS, cache, redirects, staging.
Pre-Launch Checklist โ†’
📚 HttpFixer Blog โ€” fix guides, explainers, and references โ†’

About SSL Chain Visualizer

What does SSL Chain Visualizer check?

SSL Chain Visualizer fetches your certificate trust chain and shows each certificate from your domain cert to the root CA. It flags missing intermediate certificates, expiring certs, and weak cipher suites including TLS 1.0 and TLS 1.1.

What is a missing intermediate certificate?

An intermediate certificate sits between your domain certificate and the root CA. Without it, mobile browsers and API clients may fail to verify your SSL chain even when desktop browsers work fine โ€” desktop browsers often cache intermediates from previous visits.

What cipher suites are recommended for TLS 1.3?

TLS_AES_256_GCM_SHA384 and TLS_CHACHA20_POLY1305_SHA256 are the strongest ciphers for TLS 1.3. For TLS 1.2 compatibility, ECDHE-RSA-AES256-GCM-SHA384 is widely recommended. Avoid RC4, 3DES, and any cipher without Perfect Forward Secrecy.

Is my domain stored or logged?

No. Certificate data is fetched via crt.sh and a stateless Cloudflare Worker. Your domain is not stored or associated with any account.