Inspect TLS certificates, chain of trust, CT logs, and CAA records for any domain.
Inspect the full TLS certificate chain for any domain. Certificates are fetched from Cloudflare's edge network, so you see exactly what browsers see. Includes Certificate Transparency log lookups and CAA record validation.
Certificates are retrieved by initiating a TLS handshake from Cloudflare's edge network. This shows you the exact certificate chain that browsers see when connecting to the domain, including any intermediates served by the host.
A certificate chain is the sequence of certificates from the server's leaf certificate up through intermediate certificates to a trusted root CA. Browsers need the full chain to verify trust. An incomplete chain can cause connection failures in some clients.
Certificate Transparency (CT) logs are public, append-only ledgers that record every TLS certificate issued by participating CAs. They let domain owners detect unauthorized certificates issued for their domains.
Configure your web server to send the full chain: your leaf certificate plus all intermediate certificates. Most CAs provide a "full chain" or "bundle" file. The root certificate should not be included as clients already have it in their trust store.
Set CAA records listing only the certificate authorities you use. For example, if you use Let's Encrypt, add a CAA record with value "0 issue letsencrypt.org". This prevents other CAs from issuing certificates for your domain.