Skip to main content
This is a pre-production deployment of Warehouse. Changes made here affect the production instance of PyPI (
Help us improve Python packaging - Donate today!

Check TLS certificates of domains for expiration dates and more.

Project Description


Check TLS certificates of domains for expiration dates and more.


It’s recommended to use Python 3.5 or newer on macOS, because DNS lookups work in parallel and thus much faster when checking several domains.

Best installed via pipsi:

% pipsi install check-tls-certs

Or some other way to install a python package with included scripts.


Usage: check_tls_certs [OPTIONS] [DOMAIN]...

  Checks the TLS certificate for each DOMAIN.

  You can add checks for alternative names by separating them with a slash,

  Exits with return code 3 when there are warnings and code 4 when there are

  -f, --file FILE              File to read domains from. One per line.
  -v, --verbose / -q, --quiet  Toggle printing of infos for domains with no
                               errors or warnings.
  --help                       Show this message and exit.

When domains are read from a file, lines starting with a # are ignored. If a line in a file ends in a /, it is joined with the next line. This allows you to group many domains using the same certificate.

If a domain starts with a ! it is checked to be in the list of alternate names, but the TLS certificate for it will not be fetched and checked. This is useful for domains that aren’t accessible for some reason.

The default port 443, to which the connection is made to fetch the certificate, can be changed by adding it to the domain separated by a colon like


0.9.1 - 2017-04-05

  • Re-release because of premature upload. [fschulze]

0.9.0 - 2017-04-05

  • Add 5 second timeout and print more detailed error messages. [fschulze]
  • If a line ends in a / it is joined with the next line when reading domains from a file. [fschulze]
  • Sort domain names in output. [fschulze]

0.8.0 - 2016-05-09

  • Validate the certificate chain sent by the server. [fschulze]

0.7.0 - 2016-05-09

  • Get current time once to avoid duplicate expiry messages. [fschulze]
  • Mark certificates from staging server with error. [fschulze]

0.6.0 - 2016-02-20

  • Fix comparison if there is no expiration time. [fschulze]
  • Allow port in domain name, to which the ssl connection is made instead of the default 443, be specified.

0.5.0 - 2016-02-17

  • Use UTC time to calculate expiration time. [fschulze]
  • Add another verbosity level (and remove -q/--quite). By default nothing is printed except when there are errors. The first level -v always prints the earliest expiration date. The second level -vv prints all the info.

0.4.0 - 2016-02-12

  • When prefixing a domain with a ! the certificate will not be fetched and checked, but it’s name well be checked to be in the list of alternate names. [fschulze]
  • Change handling of alternate names, so checking for just one domain when a certificate is valid for several works. [fschulze]
  • By default only print messages for domains with errors. Use -v option to print infos for all domains. [fschulze]
  • Allow comments starting with # in domain file. [fschulze]
  • Get rid of openssl executable requirement. [fschulze]

0.3.0 - 2016-01-01

  • Use asyncio to fetch certificates in parallel. [fschulze]

0.2.0 - 2015-12-22

  • Actually support Python 3.4 as advertised. [fschulze]
  • Fix packaging. [witsch]
  • Round expiry time delta to minutes for nicer output. [fschulze]
  • Skip duplicate messages for alternate names. [fschulze]
  • Add certificate issuer to output. [fschulze]
  • Mark sha1 certificate signature as error. [fschulze]

0.1.0 - 2015-12-20

  • Initial release [fschulze]
Release History

Release History

This version
History Node


History Node


History Node


History Node


History Node


History Node


History Node


History Node


History Node


History Node


Download Files

Download Files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

File Name & Checksum SHA256 Checksum Help Version File Type Upload Date
check-tls-certs-0.9.1.tar.gz (5.8 kB) Copy SHA256 Checksum SHA256 Source Apr 5, 2017

Supported By

WebFaction WebFaction Technical Writing Elastic Elastic Search Pingdom Pingdom Monitoring Dyn Dyn DNS Sentry Sentry Error Logging CloudAMQP CloudAMQP RabbitMQ Heroku Heroku PaaS Kabu Creative Kabu Creative UX & Design Fastly Fastly CDN DigiCert DigiCert EV Certificate Rackspace Rackspace Cloud Servers DreamHost DreamHost Log Hosting