SSL Certificate Verifier Tool


This is a WPF tool that allows you to connect to remote web servers and examine SSL certificates.

The tool provides the following functionality:

  • Validates the SSL certificate and validates all certificates in the chain for possible errors;
  • Implements certificate expiration checking. Certificate expiration is checked for all certificates in the chain;
  • The tool also checks certificates for all possible redirection URLs;
  • Writes trace/debug log for each processed entry;
  • Provides an ability to save a server list to a file and read the list from a file.

The tool requires .NET Framework 4.5.


Details & Pricing

As part of our licensed tool offerings, by purchasing a license to the SSL Certificate Verifier you are supporting the ongoing development and expansion of the tool. Licensing is available for a single user or enterprise-wide. As part of your purchase you will receive:

  • A compiled, executable version of the SSL Certificate Verifier
  • Your purchase will include a right to use the software at your organization
  • Free upgrades for 1 year from the date of purchase
  • Priority support for a period of 12-months from the time of your purchase

Support is provided through an online request portal and will be prioritized over requests from our open-source program. After 12-months you will have the option to continue your support at the current price.

Open-source, GitHub support is not commercially provided. We do accept comments, suggestions, and notifications of compatibility on GitHub.

Main Window

Main window contains a list of remote SSL/TLS servers and control buttons. There are three possible validation outcomes:

  • Ok

Client was able to successfully connect to remote server over SSL/TLS and its certificate passed all validation checks based on current settings.

  • Error

Client was either, not able to connect to remote server over SSL/TLS or its certificate failed certificate validation checks.

  • Warning

Client was able to successfully connect to remote server over SSL/TLS and its certificate passed all validation checks, but its certificate is about to expire:

When selecting particular entry, a trace log with certificate details is shown. Right-click on remote server entry and selecting entry properties it is possible to configure proxy settings if necessary:

Certificate View

Additionally, there is certificate view which is located under Certificates tab:

Certificate view dialog shows certificate chain and errors. Native errors shows potential issues with selected certificate itself. Propagated errors show potential issues propagated from upper level certificates (intermediate CA certificates). The following image shows errors associated with a certificate that failed validation checks:

By pressing View Certificate button, a certificate UI dialog (provided by operating system) is shown.

HTML Report

After scan completion, you can save current application state to HTML report by clicking on a "Save HTML Report" toolbar button.

SSL Certificate Verifier PKI Solutions

HTML report provides detailed information about every HTTP redirect, certificate chain, every certificate details and even full certificate in PEM format:

SSL Certificate Verifier PKI

Script Automation

You can automate server automation using Windows PowerShell and create scheduled tasks to run scans on a regular basis:

PS C:\> Add-Type -Path "C:\Program Files\PKI Solutions\SSL Verifier\SSLVerifier.Core.dll"
PS C:\> $server = New-Object SSLVerifier.Core.Default.ServerEntry ""
PS C:\> $config = New-Object SSLVerifier.Core.Default.CertProcessorConfig
PS C:\> $scanner = New-Object SSLVerifier.Core.Processor.CertProcessor $config
PS C:\> $scanner.StartScan($server)
PS C:\> $server

ServerAddress :
Port          : 443
Proxy         : SSLVerifier.Core.Default.ServerEntryProxy
ItemStatus    : Valid
Log           : SSLVerifier.Core.Default.ServerLogWriter
SAN           : {DNS Name=*, DNS Name=*, DNS, DNS}
ChainStatus   : NoError
Certificate   : [Subject]
                  CN=*, O=Google LLC, L=Mountain View, S=California, C=US

                  CN=GTS CA 1O1, O=Google Trust Services, C=US

                [Serial Number]

                [Not Before]
                  2020.07.07. 11:14:00

                [Not After]
                  2020.09.29. 11:14:00


Tree          : {SSLVerifier.Core.Models.TreeNode`1[SSLVerifier.Core.IChainElement], SSLVerifier.Core.Models.TreeNode`1

PS C:\> if ($server.ItemStatus -ne "Valid") {
>> # perform required actions for failed scan. For example, send email alert
>> }
PS C:\>

Follow this post for more details.

Application Settings

Application contains several settings, which are invoked via Options -> Settings:

In this dialog, you can configure some validation options:

  • Search Transparency Log

When enabled, searches for TLS certificate in public Certificate Transparency Logs.

  • Strict EKU validation

When enabled, this option will require that entire certificate chain is valid for Server Authentication enhanced key usage. Otherwise, Server Authentication EKU is checked on leaf certificate only.

  • Allow user trust

By default, certificate chains are built against trusted root CA store in machine context (local computer). Manually added trusted root CAs in current user store are not trusted by default.

  • Require minimum RSA public key length

Enforces RSA public key length which must be equals or greater than specified value. This settings has effect only on RSA public keys. ECC (ellyptic curve cryptography) key length is not enforced.

  • Protocol list

Specifies allowed SSL/TLS protocols. SSL Verifier Tool attempts to connect to remote server using the best protocol. If connection fails and there are other allowed protocols, they are attempted until connection succeeds or there are more allowed SSL/TLS protocols, otherwise, connection will fail.

  • Invalidate weak signature algorithm

When enabled, specifies a set of disallowed signature algorithm for leaf and intermediate CA certificates. Signature algorithm list is not applied to root (presented in a self-signed form) are not checked.