Workshop

Introducing SSLurp: A Certificate Checker You Didn't Know You Needed

Published on: 2026-01-12

By: Ian McCutcheon

Introducing SSLurp

sslurp.esoup.net — a certificate checker that connects directly to IP addresses and tells you exactly what's happening with TLS on any endpoint you point it at.

Most certificate tools work by hostname. You type example.com, they resolve DNS, connect, and show you what they find. That's fine until you need to test a cert before updating DNS, see what a specific CDN edge node is serving, or troubleshoot why one IP in a cluster is presenting something different than the others.

SSLurp bypasses DNS entirely. Give it an IP, a port, and optionally an SNI hostname, and it fetches the full certificate chain — no resolution quirks, no caching mysteries. Just the raw truth about what that endpoint is serving.

Real Chain Validation

Here's where it gets interesting. SSLurp doesn't just show you the certificate chain — it cryptographically verifies every signature from leaf to root.

We load Mozilla's trusted CA bundle (the same roots your browser trusts) and verify that:

  1. Each certificate in the chain was actually signed by its claimed issuer
  2. The chain terminates in a trusted root CA
  3. No signatures have been tampered with

You get a clear verdict: Trusted (chain ends in a known root like DigiCert or Let's Encrypt) or Not Trusted (self-signed, incomplete chain, or signature mismatch). Every link in the chain shows its verification status.

This isn't just "does the hostname match" validation — it's the full cryptographic proof that the certificate is legitimate.

The API

SSLurp has a proper REST API with authentication, rate limiting, and multiple output options.

Single check:

curl -H "X-API-Key: YOUR_KEY" \
  "https://sslurp.esoup.net/check?ip=93.184.216.34&port=443&sni=example.com"

Batch check (up to 10 hosts at once):

curl -X POST -H "X-API-Key: YOUR_KEY" \
  -H "Content-Type: application/json" \
  -d '{"hosts": ["example.com", "google.com:443", "1.2.3.4"]}' \
  https://sslurp.esoup.net/check/batch

Get results by email: Add &email=true to any request and we'll send you a nicely formatted report with the full chain verification details — subject info, validity, chain verification status, the works.

API Keys and Self-Service Registration

Anyone can grab a free API key at sslurp.esoup.net/register. Enter your email, click the verification link, and you've got a working key in seconds.

What you get with a free key: - 14 days validity - Email delivery — get results sent to your inbox - Standard rate limits (plenty for normal use)

That's the self-service tier. It's genuinely useful — you can check certificates and get nicely formatted email reports. Most people won't need more.

The system supports more, but not through self-service: - Longer validity periods (30 days, 1 year, 5 years) - Elevated rate limits for high-volume use - Webhook delivery (coming soon) - Custom configurations

These exist. They're available upon request. If you need them and you're the kind of person who can figure out how to ask, you'll figure it out.

Under the Hood: Stateless Keys

The keys themselves are stateless — no database lookups on every request. The key is the authorization, carrying everything the server needs to make access decisions. No session store, no token database.

This keeps things fast and lets the system scale without bottlenecks.

Mailing List (No API Key Required)

Not a developer? Just want to hear about certificate security tips and SSLurp updates?

There's a subscribe form on the About page that adds you to the mailing list without any API key framing. Enter your email, confirm the link, done. You'll get occasional updates — no spam, easy unsubscribe.

Under the hood, this uses the same infrastructure as API key registration. One system, two flows, zero code duplication.

The Build

This started as a weekend experiment — a collaboration between me and Claude (Anthropic's AI assistant) to see if we could ship something useful, end to end, quickly.

We did. And then we kept going.

The stack: - Bun — runtime and package manager - Hono — fast, minimal web framework - Native TLS sockets — direct certificate fetching with OpenSSL fallback for full chain retrieval - Mozilla CA bundle — 144 trusted root certificates for chain validation - Mailgun — transactional email and mailing list management

Security layers: - Explicit route allowlist (defense in depth beyond static file serving) - CSP headers, HSTS, X-Frame-Options — the full set - Rate limiting per IP and per /24 subnet - Email suppression checking before sending (bounces, complaints, unsubscribes) - Encrypted PII in API keys

The whole thing runs on a small VPS. No containers, no orchestration, no complexity where it isn't needed.

The Admin Interface

There's also a local admin tool (not public) for key management — an ephemeral web GUI that spins up when I need it and disappears when I don't. It talks to the production API for issuing and revoking keys, and directly to Mailgun for checking email suppressions.

Building admin tooling as a local ephemeral interface rather than a always-running authenticated web panel turned out to be a really nice pattern. No attack surface when it's not running, no session management, no "forgot to log out" risks.

Go Try It

sslurp.esoup.net

Paste in an IP, see what certificate it's serving, verify the chain is legitimate. Grab an API key if you want to automate it. Subscribe to the list if you want occasional updates.

It started as "can we build this?" and turned into something I actually use. Maybe you will too.

Related reading: - Wildcard Certificates — The Misunderstood Shortcut - Taking Back Control: CAA Records

Building an Enterprise Anycast CDN at the Network Edge: Section 3 »

« Building an Enterprise Anycast CDN at the Network Edge: Section 2