An SSL lookup retrieves and parses the SSL/TLS certificate served by a domain or hostname - returning who issued it, when it expires, which hostnames it covers (Subject Alternative Names), the full chain of trust back to a root Certificate Authority, the key algorithm and TLS version negotiated, and the Certificate Transparency log entries that record the certificate's issuance. Certificates are both an HTTPS prerequisite and a rich OSINT source: the SAN field often reveals related infrastructure, and CT log entries surface new certificates as they are issued.
Feature: Live certificate retrieved directly from the target server, parsed into structured fields
Feature: Subject Alternative Names (SANs) listed in full - often reveals undocumented subdomains and related infrastructure
Feature: Certificate Transparency log entries showing every certificate issued for the domain pattern
Feature: Free tool covers individual lookups; bulk and scheduled monitoring available through the API
For portfolio-scale certificate expiry monitoring, CT log change alerts, and integration into security platforms, the SSL Certificate API for portfolio-scale monitoring returns parsed certificate data in JSON for thousands of domains with scheduled re-checks.
SSL Lookup shows up in three distinct workflows: OSINT pivoting through SAN fields and CT logs to find related infrastructure, certificate-expiry monitoring to prevent HTTPS outages, and third-party risk assessment to verify vendor certificate hygiene. The four use cases below are where it gets the most use.
SSL certificates are goldmines for OSINT. The Subject Alternative Names (SAN) field often lists multiple domains covered by a single certificate - revealing related infrastructure operated by the same entity. Threat actors frequently reuse certificates or CAs across campaigns, making certificate pivoting (finding all domains sharing a certificate or a specific issuer) one of the most effective threat intelligence techniques. Combine with the WHOIS Lookup to cross-reference registrant data with certificate data.
Certificate Transparency (CT) logs are public records of every SSL certificate issued by trusted Certificate Authorities. WhoisFreaks monitors CT logs continuously - when a new certificate is issued for a domain pattern matching your brand or keywords, it surfaces immediately. Newly issued certificates for typosquatting domains (e.g., 'paypa1.com', 'your-brand-login.com') are often the earliest indicator of an upcoming phishing campaign.
Use SSL Lookup to verify certificate installation, check expiry dates before they cause outages, confirm all expected domains are covered in the SAN list, and validate the full certificate chain (intermediate and root CA). Certificate expiry causes sudden HTTPS failures and browser warnings that damage user trust and SEO. Monitor critical certificates regularly.
Organizations conducting third-party vendor security assessments use SSL Lookup to verify vendors are using properly issued certificates from trusted CAs, check for certificates about to expire, and identify self-signed or weak certificates that indicate poor security hygiene.
WhoisFreaks retrieves live certificate data directly from the target server alongside Certificate Transparency log entries - so you see both the currently-served certificate and the full historical issuance record in one query. For multi-IP domains (CDNs, load balancers), certificates are also fetched from each resolved IP, surfacing inconsistencies that single-resolver checks miss.
Check the 'Not After' field for certificate expiry. Most browsers start showing warnings when a certificate has fewer than 30 days remaining. Set up expiry monitoring via the SSL Certificate API to get alerts before outages occur.
