Tools
sslbrain includes several built-in tools for SSL/TLS administration.
TLS/SSL Scanner
Scans a server for SSL/TLS configuration and certificates.
Local scanning
Scans from your sslbrain instance. Can reach servers on your internal network.
Cloud scanning
Scans via sslbrain Cloud from the internet. See what the outside world sees.
How to use the scanner
- Enter hostname and port (default 443)
- sslbrain scans the server with testssl.sh
- Results are displayed within seconds
What the scanner finds
| Category | Details |
|---|---|
| Certificates | Subject, SANs, issuer, expiry date, chain validation |
| Cipher suites | Which cipher suites the server offers and prefers |
| Protocol versions | TLS 1.0, 1.1, 1.2, 1.3, which are enabled |
| Vulnerabilities | Known vulnerabilities such as BEAST, POODLE, Heartbleed, etc. |
Tip: Use the scanner to answer: "Which certificates are on our servers?" and "Is our TLS configuration secure?"
Certificate Decoder
Paste a certificate in PEM format and see all details.
| Field | Description |
|---|---|
| Subject | CN (Common Name), O (Organisation), OU (Organisational Unit) |
| SANs | All domain names covered by the certificate |
| Issuer | Certificate Authority (CA) that issued the certificate |
| Validity period | Start and end date for the certificate's validity |
| Key type | RSA 2048/4096 or ECDSA P-256/384 |
| Signature algorithm | e.g. SHA-256 with RSA |
| Certificate chain | Full chain from certificate to root CA |
Certificate Converter
Convert between certificate formats. Upload the file or paste PEM text. sslbrain converts it and gives you the file for download.
| From | To | Use |
|---|---|---|
| PEM | DER | Binary format for Java/Tomcat |
| PEM | PFX/PKCS12 | Windows format with certificate + key |
| PFX | PEM | Extract certificate and key from PFX |
| PEM | JKS | Java KeyStore for Tomcat/Spring |
CAA Record Generator
Generate CAA DNS records for your domain.
CAA records tell which CAs are allowed to issue certificates for your domain. It is a DNS record, not something sslbrain controls, but the tool helps you create the correct record.
Example CAA records
example.com. CAA 0 issue "letsencrypt.org"
example.com. CAA 0 issue "pki.goog"
example.com. CAA 0 issuewild "letsencrypt.org"| Tag | Meaning |
|---|---|
| issue | Allows the specified CA to issue certificates for the domain |
| issuewild | Allows the specified CA to issue wildcard certificates |
| iodef | Email address for notifications on policy violations |
Self-signed Certificate
Generate a self-signed certificate for testing and development.
Configuration
- Enter domain name
- Choose validity period
- Choose key type (RSA/ECDSA)
Output
- Certificate + key are generated
- Download as PEM or PFX
Note: Only use self-signed certificates for testing and development, not for production. Browsers and clients will show warnings for self-signed certificates.