DNS Zone

The global DNS infrastructure is organized as a series of hierarchical DNS zones. The root zone hosts a number of global and country TLDs, which in turn host further zones that are delegated to their customers. Each organization that controls a zone can delegate parts of its namespace to other zones. In this test we perform detailed inspection of a DNS zone, but only if the host being tested matches the zone.

Nameserver Names

Nameservers can be referred to by name and by address. In this section we show the names, which can appear in the NS records, the referrals from the parent zone, and the SOA record. In some situations, servers from the parent zone respond authoritatively, in which case we will include them in the list as well.

Nameserver Addresses

This section shows the configuration of all discovered nameservers by their IP address. To find all applicable nameservers, we inspect the parent zone nameservers for names and glue and then the tested zone nameservers for NS records. We then resolve all discovered names to IP addresses. Finally, we test each address individually.

Start of Authority (SOA) Record

Start of Authority (SOA) records contain administrative information pertaining to one DNS zone, especially the configuration that's used for zone transfers between the primary nameserver and the secondaries. Only one SOA record should exist, with all nameservers providing the same information.

Backing DNS Queries

Below are all DNS queries we submitted during the zone inspection.

DNS Records

Correctly functioning name servers are necessary to hold and distribute information that's necessary for your domain name to operate correctly. Examples include converting names to IP addresses, determining where email should go, and so on. More recently, the DNS is being used to communicate email and other security policies.

DNS Records

These are the results of individual DNS queries against your nameserver for common resource record types.

Backing DNS Queries

Below are all DNS queries we submitted while inspecting the resource records.

DNSSEC

DNSSEC is an extension of the DNS protocol that provides cryptographic assurance of the authenticity and integrity of responses; it's intended as a defense against network attackers who are able to manipulate DNS to redirect their victims to servers of their choice. DNSSEC is controversial, with the industry split largely between those who think it's essential and those who believe that it's problematic and unnecessary.

Useful DNSSEC Tools

• Test namecheap.com @ DNSViz
• Test namecheap.com @ DNSSEC Analyzer (Verisign Labs)
• Zonemaster (iiS and AFNIC)

Certification Authority Authorization

CAA (RFC 8659) is a new standard that allows domain name owners to restrict which CAs are allowed to issue certificates for their domains. This can help to reduce the chance of misissuance, either accidentally or maliciously. In September 2017, CAA became mandatory for CAs to implement.

Email (SMTP)

An internet hostname can be served by zero or more mail servers, as specified by MX (mail exchange) DNS resource records. Each server can further resolve to multiple IP addresses, for example to handle IPv4 and IPv6 clients. Thus, in practice, hosts that wish to receive email reliably are supported by many endpoint.

220 asp-relay-nc.jellyfish.systems ESMTP Postfix
EHLO outbound.hardenize.com
250-asp-relay-nc.jellyfish.systems
250-PIPELINING
250-SIZE 51200000
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 CHUNKING
QUIT
221 2.0.0 Bye

220 asp-relay-nc.jellyfish.systems ESMTP Postfix
EHLO outbound.hardenize.com
250-asp-relay-nc.jellyfish.systems
250-PIPELINING
250-SIZE 51200000
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 CHUNKING
QUIT
221 2.0.0 Bye

Email TLS (SMTP)

Transport Layer Security (TLS) is the most widely used encryption protocol on the Internet. In combination with valid certificates, servers can establish trusted communication channels even with users who have never visited them before. Network attackers can't uncover what is being communicated, even when they can see all the traffic.

Email Certificates (SMTP)

A certificate is a digital document that contains a public key, some information about the entity associated with it, and a digital signature from the certificate issuer. It’s a mechanism that enables us to exchange, store, and use public keys. Being able to reliably verify the identity of a remote server is crucial in order to achieve secure encrypted communication.

Certificate #1

Leaf certificate *.jellyfish.systems
Issuer: Sectigo
Not Before: 29 Nov 2024 00:00:00 UTC
Not After: 11 Dec 2025 23:59:59 UTC (expires in 4 months 14 days)
Key: RSA 2048 bits
Signature: SHA256withRSA
 View details

Names	*.jellyfish.systems jellyfish.systems
Subject DN	CN=*.jellyfish.systems
Subject Key Identifier	53702265cb80fa15aaf52be7086a5f3fcfac5d90
Serial	b83433ea0b3288876bc25bceaf647a32
Not Before	29 Nov 2024 00:00:00 UTC
Not After	11 Dec 2025 23:59:59 UTC
Validity period	378 days
Key Usage	digitalSignature, keyEncipherment
Extended Key Usage	serverAuth, clientAuth
Must Staple	No
Issuer
Issuer DN	CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB
Certification Authority	Sectigo
Validation Type	Domain Validation (DV)
Authority Key Identifier	keyid:8d8c5ec454ad8ae177e99bf99b05e1b8018d61e1
Parent Certificate	http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt
OCSP	http://ocsp.sectigo.com
Certificate Transparency
Signed Certificate Timestamps	29 Nov 2024 16:17:40 UTC | Google 'Xenon2025h2' log | Qualified 29 Nov 2024 16:17:40 UTC | Cloudflare 'Nimbus2025' | Qualified 29 Nov 2024 16:17:40 UTC | Google 'Argon2025h2' log | Qualified
Fingerprints
SHA1	8254b9e2b0b3adcfdaa1ba04680d8d96cca4869f
SHA256	153b3a85f919c971c6572a20ed61fd0b87d3242bae3057fe6e16b879c6274a91
SPKI SHA256	ff19a3e470303d9b77b227ad90e45928f1cee7b21797dedc19ef09da824efa6f

Analysis

Good

Strong private key

Good. The private key associated with this certificate is secure.

Good

Strong signature algorithm

Good. This certificate uses a strong signature algorithm.

Good

Certificate matches hostname

Good. The provided certificate matches the expected hostnames.

Good

Certificate dates match

Good. The certificate is valid for use at this point of time.

Good

Certificate has not been revoked

Good. This certificate has not been revoked.

Good

Certificate satisfies Apple's CT compliance requirements

Good. This certificate satisfies Apple's CT requirements at present.

Certificate Chain

Leaf certificate

*.jellyfish.systems | 153b3a8
Not After: 11 Dec 2025 23:59:59 UTC (expires in 4 months 14 days)
Authentication: RSA 2048 bits (SHA256withRSA)
 View details

Names	*.jellyfish.systems jellyfish.systems
Subject DN	CN=*.jellyfish.systems
Subject Key Identifier	53702265cb80fa15aaf52be7086a5f3fcfac5d90
Serial	b83433ea0b3288876bc25bceaf647a32
Not Before	29 Nov 2024 00:00:00 UTC
Not After	11 Dec 2025 23:59:59 UTC
Validity period	378 days
Key Usage	digitalSignature, keyEncipherment
Extended Key Usage	serverAuth, clientAuth
Must Staple	No
Issuer
Issuer DN	CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB
Certification Authority	Sectigo
Validation Type	Domain Validation (DV)
Authority Key Identifier	keyid:8d8c5ec454ad8ae177e99bf99b05e1b8018d61e1
Parent Certificate	http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt
OCSP	http://ocsp.sectigo.com
Certificate Transparency
Signed Certificate Timestamps	29 Nov 2024 16:17:40 UTC | Google 'Xenon2025h2' log | Qualified 29 Nov 2024 16:17:40 UTC | Cloudflare 'Nimbus2025' | Qualified 29 Nov 2024 16:17:40 UTC | Google 'Argon2025h2' log | Qualified
Fingerprints
SHA1	8254b9e2b0b3adcfdaa1ba04680d8d96cca4869f
SHA256	153b3a85f919c971c6572a20ed61fd0b87d3242bae3057fe6e16b879c6274a91
SPKI SHA256	ff19a3e470303d9b77b227ad90e45928f1cee7b21797dedc19ef09da824efa6f

Intermediate certificate

Sectigo RSA Domain Validation Secure Server CA | 7fa4ff6
Not After: 31 Dec 2030 23:59:59 UTC (expires in 5 years 5 months)
Authentication: RSA 2048 bits (SHA384withRSA)
 View details

Subject DN	CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB
Subject Key Identifier	8d8c5ec454ad8ae177e99bf99b05e1b8018d61e1
Serial	7d5b5126b476ba11db74160bbc530da7
Not Before	02 Nov 2018 00:00:00 UTC
Not After	31 Dec 2030 23:59:59 UTC
Key Usage	digitalSignature, keyCertSign, cRLSign
Extended Key Usage	serverAuth, clientAuth
Issuer
Issuer DN	CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
Certification Authority	Sectigo
Validation Type	Not Applicable
Authority Key Identifier	keyid:5379bf5aaa2b4acf5480e1d89bc09df2b20366cb
Parent Certificate	http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt
CRL	http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl
OCSP	http://ocsp.usertrust.com
CA certificate	Yes (pathlen 0)
Fingerprints
SHA1	33e4e80807204c2b6182a3a14b591acd25b5f0db
SHA256	7fa4ff68ec04a99d7528d5085f94907f4d1dd1c5381bacdc832ed5c960214676
SPKI SHA256	e1ae9c3de848ece1ba72e0d991ae4d0d9ec547c6bad1dddab9d6beb0a7e0e0d8

Root certificate

USERTrust RSA Certification Authority | e793c9b
Not After: 18 Jan 2038 23:59:59 UTC (expires in 12 years 5 months)
Authentication: RSA 4096 bits (SHA384withRSA)
 View details

Subject DN	CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
Subject Key Identifier	5379bf5aaa2b4acf5480e1d89bc09df2b20366cb
Serial	01fd6d30fca3ca51a81bbc640e35032d
Not Before	01 Feb 2010 00:00:00 UTC
Not After	18 Jan 2038 23:59:59 UTC
Key Usage	keyCertSign, cRLSign
Issuer
Issuer DN	CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
Certification Authority	Sectigo
Validation Type	Self-signed
CA certificate	Yes (pathlen unlimited)
Fingerprints
SHA1	2b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e
SHA256	e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd2
SPKI SHA256	c784333d20bcd742b9fdc3236f4e509b8937070e73067e254dd3bf9c45bf4dde

Email DANE (SMTP)

DNS-based Authentication of Named Entities (DANE) is a bridge between DNSSEC and TLS. In one possible scenario, DANE can be used for public key pinning, building on an existing publicly-trusted certificate. In another approach, it can be used to completely bypass the CA ecosystem and establish trust using DNSSEC alone.

SPF

Sender Policy Framework (SPF) is a protocol that allows domain name owners to control which internet hosts are allowed to send email on their behalf. This simple mechanism can be used to reduce the effect of email spoofing and cut down on spam.

DMARC

Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a scalable mechanism by which a mail-originating organization can express domain-level policies and preferences for message validation, disposition, and reporting, that a mail-receiving organization can use to improve mail handling.

MTA Strict Transport Security

SMTP Mail Transfer Agent Strict Transport Security (MTA-STS) is a mechanism enabling mail service providers to declare their ability to receive Transport Layer Security (TLS) secure SMTP connections, and to specify whether sending SMTP servers should refuse to deliver to MX hosts that do not offer TLS with a trusted server certificate.

SMTP TLS Reporting

SMTP TLS Reporting (RFC 8460), or TLS-RPT for short, describes a reporting mechanism and format by which systems sending email can share statistics and specific information about potential failures with recipient domains. Recipient domains can then use this information to both detect potential attacks and diagnose unintentional misconfigurations. TLS-RPT can be used with DANE or MTA-STS.

HTTP (80)

To observe your HTTP implementation, we submit a request to the homepage of your site on port 80, follow all redirections (even when they take us to other domain names), and record the returned HTTP headers.

URL: http://namecheap.com/

URL: http://www.namecheap.com/

HTTP (443)

To observe your HTTPS implementation, we submit a request to the homepage of your site on port 443, follow all redirections (even when they take us to other domain names), and record the returned HTTP headers. We use the most recent set of headers returned from the tested hostname for further tests such as HSTS and HPKP.

URL: https://namecheap.com/

URL: https://www.namecheap.com/

WWW TLS

Transport Layer Security (TLS) is the most widely used encryption protocol on the Internet. In combination with valid certificates, servers can establish trusted communication channels even with users who have never visited them before. Network attackers can't uncover what is being communicated, even when they can see all the traffic.

WWW Certificates

A certificate is a digital document that contains a public key, some information about the entity associated with it, and a digital signature from the certificate issuer. It’s a mechanism that enables us to exchange, store, and use public keys. Being able to reliably verify the identity of a remote server is crucial in order to achieve secure encrypted communication.

Certificate: namecheap.com

Leaf certificate www.namecheap.com
Issuer: Sectigo
Not Before: 09 Dec 2024 00:00:00 UTC
Not After: 07 Jan 2026 23:59:59 UTC (expires in 5 months 11 days)
Key: RSA 2048 bits
Signature: SHA256withRSA
 View details

Names	www.namecheap.com namecheap.com
Subject DN	CN=www.namecheap.com, O="Namecheap, Inc.", ST=Arizona, C=US, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US, SERIALNUMBER=4077265
Subject Key Identifier	e96b7fc8ef4b91f69dba9e964ecc0149661881fd
Serial	ba5ba41e3cfc93fdc2ca84fbaebae650
Not Before	09 Dec 2024 00:00:00 UTC
Not After	07 Jan 2026 23:59:59 UTC
Validity period	395 days
Key Usage	digitalSignature, keyEncipherment
Extended Key Usage	serverAuth, clientAuth
Must Staple	No
Issuer
Issuer DN	CN=Sectigo RSA Extended Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB
Certification Authority	Sectigo
Validation Type	Extended Validation (EV)
Authority Key Identifier	keyid:2c69ff80c98790ae34e1b4e74c93859940e9a7b2
Parent Certificate	http://crt.sectigo.com/SectigoRSAExtendedValidationSecureServerCA.crt
CRL	http://crl.sectigo.com/SectigoRSAExtendedValidationSecureServerCA.crl
OCSP	http://ocsp.sectigo.com
Certificate Transparency
Signed Certificate Timestamps	09 Dec 2024 19:38:22 UTC | Google 'Xenon2026h1' log | Qualified 09 Dec 2024 19:38:21 UTC | Let's Encrypt 'Oak2026h1' | Qualified 09 Dec 2024 19:38:22 UTC | Cloudflare 'Nimbus2026' | Qualified
Fingerprints
SHA1	a6ee04935a9a5d0ee81f74a101f0dfef73884b32
SHA256	6dc4a3542f0f84db376afa074ddc5b62e86700a64585b6ef97e454fd5696efc7
SPKI SHA256	cd205685e04db90035304db21aa3392bb8530604d2de79954d902a0480b185fc

Analysis

Good

Strong private key

Good. The private key associated with this certificate is secure.

Good

Strong signature algorithm

Good. This certificate uses a strong signature algorithm.

Good

Certificate matches hostname

Good. The provided certificate matches the expected hostnames.

Good

Certificate dates match

Good. The certificate is valid for use at this point of time.

Good

Certificate has not been revoked

Good. This certificate has not been revoked.

Good

Certificate satisfies Apple's CT compliance requirements

Good. This certificate satisfies Apple's CT requirements at present.

Certificate Trust

Determining whether a certificate is considered valid is a complicated process that depends on the exact configuration of the validating party. For trust to be established, the certificate must form a chain that ends with a trusted root. In this section we evaluate the server's certificate against major root stores.

Certificate Chain

For a server certificate to be valid, it must be presented as part of a complete and valid certificate chain. The last certificate in the chain should be the root and is usually not included in the configuration.

Leaf certificate

www.namecheap.com | 6dc4a35
Not After: 07 Jan 2026 23:59:59 UTC (expires in 5 months 11 days)
Authentication: RSA 2048 bits (SHA256withRSA)
 View details

Names	www.namecheap.com namecheap.com
Subject DN	CN=www.namecheap.com, O="Namecheap, Inc.", ST=Arizona, C=US, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US, SERIALNUMBER=4077265
Subject Key Identifier	e96b7fc8ef4b91f69dba9e964ecc0149661881fd
Serial	ba5ba41e3cfc93fdc2ca84fbaebae650
Not Before	09 Dec 2024 00:00:00 UTC
Not After	07 Jan 2026 23:59:59 UTC
Validity period	395 days
Key Usage	digitalSignature, keyEncipherment
Extended Key Usage	serverAuth, clientAuth
Must Staple	No
Issuer
Issuer DN	CN=Sectigo RSA Extended Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB
Certification Authority	Sectigo
Validation Type	Extended Validation (EV)
Authority Key Identifier	keyid:2c69ff80c98790ae34e1b4e74c93859940e9a7b2
Parent Certificate	http://crt.sectigo.com/SectigoRSAExtendedValidationSecureServerCA.crt
CRL	http://crl.sectigo.com/SectigoRSAExtendedValidationSecureServerCA.crl
OCSP	http://ocsp.sectigo.com
Certificate Transparency
Signed Certificate Timestamps	09 Dec 2024 19:38:22 UTC | Google 'Xenon2026h1' log | Qualified 09 Dec 2024 19:38:21 UTC | Let's Encrypt 'Oak2026h1' | Qualified 09 Dec 2024 19:38:22 UTC | Cloudflare 'Nimbus2026' | Qualified
Fingerprints
SHA1	a6ee04935a9a5d0ee81f74a101f0dfef73884b32
SHA256	6dc4a3542f0f84db376afa074ddc5b62e86700a64585b6ef97e454fd5696efc7
SPKI SHA256	cd205685e04db90035304db21aa3392bb8530604d2de79954d902a0480b185fc

Intermediate certificate

Sectigo RSA Extended Validation Secure Server CA | 57d8bdc
Not After: 31 Dec 2030 23:59:59 UTC (expires in 5 years 5 months)
Authentication: RSA 2048 bits (SHA384withRSA)
 View details

Subject DN	CN=Sectigo RSA Extended Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB
Subject Key Identifier	2c69ff80c98790ae34e1b4e74c93859940e9a7b2
Serial	284e39c14b386d889c7299e58cd05a57
Not Before	02 Nov 2018 00:00:00 UTC
Not After	31 Dec 2030 23:59:59 UTC
Key Usage	digitalSignature, keyCertSign, cRLSign
Extended Key Usage	serverAuth, clientAuth
Issuer
Issuer DN	CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
Certification Authority	Sectigo
Validation Type	Not Applicable
Authority Key Identifier	keyid:5379bf5aaa2b4acf5480e1d89bc09df2b20366cb
Parent Certificate	http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt
CRL	http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl
OCSP	http://ocsp.usertrust.com
CA certificate	Yes (pathlen 0)
Fingerprints
SHA1	a3df966d0cb2d84af8f16c855b97c49364f5d8c0
SHA256	57d8bdcd58955a5590a57c6aafa581ed9b96bed76fafee969b139187c5a872c7
SPKI SHA256	84427914d60fed9a4d20bc9266d26088fe94b56dc2958513445c571aa592590d

Intermediate certificate

USERTrust RSA Certification Authority | 68b9c76
Not After: 31 Dec 2028 23:59:59 UTC (expires in 3 years 5 months)
Authentication: RSA 4096 bits (SHA384withRSA)
 View details

Subject DN	CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
Subject Key Identifier	5379bf5aaa2b4acf5480e1d89bc09df2b20366cb
Serial	3972443af922b751d7d36c10dd313595
Not Before	12 Mar 2019 00:00:00 UTC
Not After	31 Dec 2028 23:59:59 UTC
Key Usage	digitalSignature, keyCertSign, cRLSign
Issuer
Issuer DN	CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB
Certification Authority	Sectigo
Validation Type	Not Applicable
Authority Key Identifier	keyid:a0110a233e96f107ece2af29ef82a57fd030a4b4
CRL	http://crl.comodoca.com/AAACertificateServices.crl
OCSP	http://ocsp.comodoca.com
CA certificate	Yes (pathlen unlimited)
Fingerprints
SHA1	d89e3bd43d5d909b47a18977aa9d5ce36cee184c
SHA256	68b9c761219a5b1f0131784474665db61bbdb109e00f05ca9f74244ee5f5f52b
SPKI SHA256	c784333d20bcd742b9fdc3236f4e509b8937070e73067e254dd3bf9c45bf4dde

Root certificate

AAA Certificate Services | d7a7a0f
Not After: 31 Dec 2028 23:59:59 UTC (expires in 3 years 5 months)
Authentication: RSA 2048 bits (SHA1withRSA)
 View details

Subject DN	CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB
Subject Key Identifier	a0110a233e96f107ece2af29ef82a57fd030a4b4
Serial	01
Not Before	01 Jan 2004 00:00:00 UTC
Not After	31 Dec 2028 23:59:59 UTC
Key Usage	keyCertSign, cRLSign
Issuer
Issuer DN	CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB
Certification Authority	Sectigo
Validation Type	Self-signed
CRL	http://crl.comodoca.com/AAACertificateServices.crl http://crl.comodo.net/AAACertificateServices.crl
CA certificate	Yes (pathlen unlimited)
Fingerprints
SHA1	d1eb23a46d17d68fd92564c2f1f1601764d8e349
SHA256	d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef4
SPKI SHA256	bd153ed7b0434f6886b17bce8bbe84ed340c7132d702a8f4fa318f756ecbd6f3

Certificate: namecheap.com

Leaf certificate www.namecheap.com
Issuer: Sectigo
Not Before: 10 Dec 2024 00:00:00 UTC
Not After: 07 Jan 2026 23:59:59 UTC (expires in 5 months 11 days)
Key: EC 256 bits
Signature: SHA256withECDSA
 View details

Names	www.namecheap.com namecheap.com
Subject DN	CN=www.namecheap.com, O="Namecheap, Inc.", ST=Arizona, C=US, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US, SERIALNUMBER=4077265
Subject Key Identifier	70d73ad220eb387ee5ca76bdd59c796e2d4c0fbb
Serial	8df64d147e937115567c8c7c990cf83c
Not Before	10 Dec 2024 00:00:00 UTC
Not After	07 Jan 2026 23:59:59 UTC
Validity period	394 days
Key Usage	digitalSignature
Extended Key Usage	serverAuth, clientAuth
Must Staple	No
Issuer
Issuer DN	CN=Sectigo ECC Extended Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB
Certification Authority	Sectigo
Validation Type	Extended Validation (EV)
Authority Key Identifier	keyid:efc12a950c32dafb7330dc8a13d8154bf713e8f8
Parent Certificate	http://crt.sectigo.com/SectigoECCExtendedValidationSecureServerCA.crt
CRL	http://crl.sectigo.com/SectigoECCExtendedValidationSecureServerCA.crl
OCSP	http://ocsp.sectigo.com
Certificate Transparency
Signed Certificate Timestamps	10 Dec 2024 15:07:00 UTC | Google 'Xenon2026h1' log | Qualified 10 Dec 2024 15:07:00 UTC | Let's Encrypt 'Oak2026h1' | Qualified 10 Dec 2024 15:07:00 UTC | Cloudflare 'Nimbus2026' | Qualified
Fingerprints
SHA1	400d973f8006d13ff706ed0dea30d4fd5ac18a2a
SHA256	95b450c3ba02ed9431bab4e0c2e5ab3f7b413e6579cb4da092cead72db26b375
SPKI SHA256	0cf4defa25d35298f3fa0d9cab42d742022dfcc773afc5f9e98220a2ebd328d0

Analysis

Good

Strong private key

Good. The private key associated with this certificate is secure.

Good

Strong signature algorithm

Good. This certificate uses a strong signature algorithm.

Good

Certificate matches hostname

Good. The provided certificate matches the expected hostnames.

Good

Certificate dates match

Good. The certificate is valid for use at this point of time.

Good

Certificate has not been revoked

Good. This certificate has not been revoked.

Good

Certificate satisfies Apple's CT compliance requirements

Good. This certificate satisfies Apple's CT requirements at present.

Certificate Trust

Determining whether a certificate is considered valid is a complicated process that depends on the exact configuration of the validating party. For trust to be established, the certificate must form a chain that ends with a trusted root. In this section we evaluate the server's certificate against major root stores.

Certificate Chain

For a server certificate to be valid, it must be presented as part of a complete and valid certificate chain. The last certificate in the chain should be the root and is usually not included in the configuration.

Leaf certificate

www.namecheap.com | 95b450c
Not After: 07 Jan 2026 23:59:59 UTC (expires in 5 months 11 days)
Authentication: EC 256 bits (SHA256withECDSA)
 View details

Names	www.namecheap.com namecheap.com
Subject DN	CN=www.namecheap.com, O="Namecheap, Inc.", ST=Arizona, C=US, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US, SERIALNUMBER=4077265
Subject Key Identifier	70d73ad220eb387ee5ca76bdd59c796e2d4c0fbb
Serial	8df64d147e937115567c8c7c990cf83c
Not Before	10 Dec 2024 00:00:00 UTC
Not After	07 Jan 2026 23:59:59 UTC
Validity period	394 days
Key Usage	digitalSignature
Extended Key Usage	serverAuth, clientAuth
Must Staple	No
Issuer
Issuer DN	CN=Sectigo ECC Extended Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB
Certification Authority	Sectigo
Validation Type	Extended Validation (EV)
Authority Key Identifier	keyid:efc12a950c32dafb7330dc8a13d8154bf713e8f8
Parent Certificate	http://crt.sectigo.com/SectigoECCExtendedValidationSecureServerCA.crt
CRL	http://crl.sectigo.com/SectigoECCExtendedValidationSecureServerCA.crl
OCSP	http://ocsp.sectigo.com
Certificate Transparency
Signed Certificate Timestamps	10 Dec 2024 15:07:00 UTC | Google 'Xenon2026h1' log | Qualified 10 Dec 2024 15:07:00 UTC | Let's Encrypt 'Oak2026h1' | Qualified 10 Dec 2024 15:07:00 UTC | Cloudflare 'Nimbus2026' | Qualified
Fingerprints
SHA1	400d973f8006d13ff706ed0dea30d4fd5ac18a2a
SHA256	95b450c3ba02ed9431bab4e0c2e5ab3f7b413e6579cb4da092cead72db26b375
SPKI SHA256	0cf4defa25d35298f3fa0d9cab42d742022dfcc773afc5f9e98220a2ebd328d0

Intermediate certificate

Sectigo ECC Extended Validation Secure Server CA | 1ffece0
Not After: 31 Dec 2030 23:59:59 UTC (expires in 5 years 5 months)
Authentication: EC 256 bits (SHA384withECDSA)
 View details

Subject DN	CN=Sectigo ECC Extended Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB
Subject Key Identifier	efc12a950c32dafb7330dc8a13d8154bf713e8f8
Serial	80f5606d3a162b143adc12fbe8c2066f
Not Before	02 Nov 2018 00:00:00 UTC
Not After	31 Dec 2030 23:59:59 UTC
Key Usage	digitalSignature, keyCertSign, cRLSign
Extended Key Usage	serverAuth, clientAuth
Issuer
Issuer DN	CN=USERTrust ECC Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
Certification Authority	Sectigo
Validation Type	Not Applicable
Authority Key Identifier	keyid:3ae10986d4cf19c29676744976dce035c663639a
Parent Certificate	http://crt.usertrust.com/USERTrustECCAddTrustCA.crt
CRL	http://crl.usertrust.com/USERTrustECCCertificationAuthority.crl
OCSP	http://ocsp.usertrust.com
CA certificate	Yes (pathlen 0)
Fingerprints
SHA1	7a164f53af93b80965ff9fdf446d5849b14b3fda
SHA256	1ffece09682f87024a2a44b2c987b1fccee3b2b5cf021efcf23869224a4ca154
SPKI SHA256	b4c7e0ec5a360aad6d67264b17baa389687ee49de4322517948ca7e15af99d7e

Intermediate certificate

USERTrust ECC Certification Authority | a6cf64d
Not After: 31 Dec 2028 23:59:59 UTC (expires in 3 years 5 months)
Authentication: EC 384 bits (SHA384withRSA)
 View details

Subject DN	CN=USERTrust ECC Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
Subject Key Identifier	3ae10986d4cf19c29676744976dce035c663639a
Serial	56671d04ea4f994c6f10814759d27594
Not Before	12 Mar 2019 00:00:00 UTC
Not After	31 Dec 2028 23:59:59 UTC
Key Usage	digitalSignature, keyCertSign, cRLSign
Issuer
Issuer DN	CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB
Certification Authority	Sectigo
Validation Type	Not Applicable
Authority Key Identifier	keyid:a0110a233e96f107ece2af29ef82a57fd030a4b4
CRL	http://crl.comodoca.com/AAACertificateServices.crl
OCSP	http://ocsp.comodoca.com
CA certificate	Yes (pathlen unlimited)
Fingerprints
SHA1	ca7788c32da1e4b7863a4fb57d00b55ddacbc7f9
SHA256	a6cf64dbb4c8d5fd19ce48896068db03b533a8d1336c6256a87d00cbb3def3ea
SPKI SHA256	2021917e98263945c859c43f1d73cb4139053c414fa03ca3bc7ee88614298f3b

Root certificate

AAA Certificate Services | d7a7a0f
Not After: 31 Dec 2028 23:59:59 UTC (expires in 3 years 5 months)
Authentication: RSA 2048 bits (SHA1withRSA)
 View details

Subject DN	CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB
Subject Key Identifier	a0110a233e96f107ece2af29ef82a57fd030a4b4
Serial	01
Not Before	01 Jan 2004 00:00:00 UTC
Not After	31 Dec 2028 23:59:59 UTC
Key Usage	keyCertSign, cRLSign
Issuer
Issuer DN	CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB
Certification Authority	Sectigo
Validation Type	Self-signed
CRL	http://crl.comodoca.com/AAACertificateServices.crl http://crl.comodo.net/AAACertificateServices.crl
CA certificate	Yes (pathlen unlimited)
Fingerprints
SHA1	d1eb23a46d17d68fd92564c2f1f1601764d8e349
SHA256	d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef4
SPKI SHA256	bd153ed7b0434f6886b17bce8bbe84ed340c7132d702a8f4fa318f756ecbd6f3

Certificate: www.namecheap.com

Leaf certificate www.namecheap.com
Issuer: Sectigo
Not Before: 10 Dec 2024 00:00:00 UTC
Not After: 07 Jan 2026 23:59:59 UTC (expires in 5 months 11 days)
Key: EC 256 bits
Signature: SHA256withECDSA
 View details

Names	www.namecheap.com namecheap.com
Subject DN	CN=www.namecheap.com, O="Namecheap, Inc.", ST=Arizona, C=US, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US, SERIALNUMBER=4077265
Subject Key Identifier	70d73ad220eb387ee5ca76bdd59c796e2d4c0fbb
Serial	8df64d147e937115567c8c7c990cf83c
Not Before	10 Dec 2024 00:00:00 UTC
Not After	07 Jan 2026 23:59:59 UTC
Validity period	394 days
Key Usage	digitalSignature
Extended Key Usage	serverAuth, clientAuth
Must Staple	No
Issuer
Issuer DN	CN=Sectigo ECC Extended Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB
Certification Authority	Sectigo
Validation Type	Extended Validation (EV)
Authority Key Identifier	keyid:efc12a950c32dafb7330dc8a13d8154bf713e8f8
Parent Certificate	http://crt.sectigo.com/SectigoECCExtendedValidationSecureServerCA.crt
CRL	http://crl.sectigo.com/SectigoECCExtendedValidationSecureServerCA.crl
OCSP	http://ocsp.sectigo.com
Certificate Transparency
Signed Certificate Timestamps	10 Dec 2024 15:07:00 UTC | Google 'Xenon2026h1' log | Qualified 10 Dec 2024 15:07:00 UTC | Let's Encrypt 'Oak2026h1' | Qualified 10 Dec 2024 15:07:00 UTC | Cloudflare 'Nimbus2026' | Qualified
Fingerprints
SHA1	400d973f8006d13ff706ed0dea30d4fd5ac18a2a
SHA256	95b450c3ba02ed9431bab4e0c2e5ab3f7b413e6579cb4da092cead72db26b375
SPKI SHA256	0cf4defa25d35298f3fa0d9cab42d742022dfcc773afc5f9e98220a2ebd328d0

Analysis

Good

Strong private key

Good. The private key associated with this certificate is secure.

Good

Strong signature algorithm

Good. This certificate uses a strong signature algorithm.

Good

Certificate matches hostname

Good. The provided certificate matches the expected hostnames.

Good

Certificate dates match

Good. The certificate is valid for use at this point of time.

Good

Certificate has not been revoked

Good. This certificate has not been revoked.

Good

Certificate satisfies Apple's CT compliance requirements

Good. This certificate satisfies Apple's CT requirements at present.

Certificate Trust

Determining whether a certificate is considered valid is a complicated process that depends on the exact configuration of the validating party. For trust to be established, the certificate must form a chain that ends with a trusted root. In this section we evaluate the server's certificate against major root stores.

Certificate Chain

For a server certificate to be valid, it must be presented as part of a complete and valid certificate chain. The last certificate in the chain should be the root and is usually not included in the configuration.

Leaf certificate

www.namecheap.com | 95b450c
Not After: 07 Jan 2026 23:59:59 UTC (expires in 5 months 11 days)
Authentication: EC 256 bits (SHA256withECDSA)
 View details

Names	www.namecheap.com namecheap.com
Subject DN	CN=www.namecheap.com, O="Namecheap, Inc.", ST=Arizona, C=US, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US, SERIALNUMBER=4077265
Subject Key Identifier	70d73ad220eb387ee5ca76bdd59c796e2d4c0fbb
Serial	8df64d147e937115567c8c7c990cf83c
Not Before	10 Dec 2024 00:00:00 UTC
Not After	07 Jan 2026 23:59:59 UTC
Validity period	394 days
Key Usage	digitalSignature
Extended Key Usage	serverAuth, clientAuth
Must Staple	No
Issuer
Issuer DN	CN=Sectigo ECC Extended Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB
Certification Authority	Sectigo
Validation Type	Extended Validation (EV)
Authority Key Identifier	keyid:efc12a950c32dafb7330dc8a13d8154bf713e8f8
Parent Certificate	http://crt.sectigo.com/SectigoECCExtendedValidationSecureServerCA.crt
CRL	http://crl.sectigo.com/SectigoECCExtendedValidationSecureServerCA.crl
OCSP	http://ocsp.sectigo.com
Certificate Transparency
Signed Certificate Timestamps	10 Dec 2024 15:07:00 UTC | Google 'Xenon2026h1' log | Qualified 10 Dec 2024 15:07:00 UTC | Let's Encrypt 'Oak2026h1' | Qualified 10 Dec 2024 15:07:00 UTC | Cloudflare 'Nimbus2026' | Qualified
Fingerprints
SHA1	400d973f8006d13ff706ed0dea30d4fd5ac18a2a
SHA256	95b450c3ba02ed9431bab4e0c2e5ab3f7b413e6579cb4da092cead72db26b375
SPKI SHA256	0cf4defa25d35298f3fa0d9cab42d742022dfcc773afc5f9e98220a2ebd328d0

Intermediate certificate

Sectigo ECC Extended Validation Secure Server CA | 1ffece0
Not After: 31 Dec 2030 23:59:59 UTC (expires in 5 years 5 months)
Authentication: EC 256 bits (SHA384withECDSA)
 View details

Subject DN	CN=Sectigo ECC Extended Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB
Subject Key Identifier	efc12a950c32dafb7330dc8a13d8154bf713e8f8
Serial	80f5606d3a162b143adc12fbe8c2066f
Not Before	02 Nov 2018 00:00:00 UTC
Not After	31 Dec 2030 23:59:59 UTC
Key Usage	digitalSignature, keyCertSign, cRLSign
Extended Key Usage	serverAuth, clientAuth
Issuer
Issuer DN	CN=USERTrust ECC Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
Certification Authority	Sectigo
Validation Type	Not Applicable
Authority Key Identifier	keyid:3ae10986d4cf19c29676744976dce035c663639a
Parent Certificate	http://crt.usertrust.com/USERTrustECCAddTrustCA.crt
CRL	http://crl.usertrust.com/USERTrustECCCertificationAuthority.crl
OCSP	http://ocsp.usertrust.com
CA certificate	Yes (pathlen 0)
Fingerprints
SHA1	7a164f53af93b80965ff9fdf446d5849b14b3fda
SHA256	1ffece09682f87024a2a44b2c987b1fccee3b2b5cf021efcf23869224a4ca154
SPKI SHA256	b4c7e0ec5a360aad6d67264b17baa389687ee49de4322517948ca7e15af99d7e

Intermediate certificate

USERTrust ECC Certification Authority | a6cf64d
Not After: 31 Dec 2028 23:59:59 UTC (expires in 3 years 5 months)
Authentication: EC 384 bits (SHA384withRSA)
 View details

Subject DN	CN=USERTrust ECC Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
Subject Key Identifier	3ae10986d4cf19c29676744976dce035c663639a
Serial	56671d04ea4f994c6f10814759d27594
Not Before	12 Mar 2019 00:00:00 UTC
Not After	31 Dec 2028 23:59:59 UTC
Key Usage	digitalSignature, keyCertSign, cRLSign
Issuer
Issuer DN	CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB
Certification Authority	Sectigo
Validation Type	Not Applicable
Authority Key Identifier	keyid:a0110a233e96f107ece2af29ef82a57fd030a4b4
CRL	http://crl.comodoca.com/AAACertificateServices.crl
OCSP	http://ocsp.comodoca.com
CA certificate	Yes (pathlen unlimited)
Fingerprints
SHA1	ca7788c32da1e4b7863a4fb57d00b55ddacbc7f9
SHA256	a6cf64dbb4c8d5fd19ce48896068db03b533a8d1336c6256a87d00cbb3def3ea
SPKI SHA256	2021917e98263945c859c43f1d73cb4139053c414fa03ca3bc7ee88614298f3b

Root certificate

AAA Certificate Services | d7a7a0f
Not After: 31 Dec 2028 23:59:59 UTC (expires in 3 years 5 months)
Authentication: RSA 2048 bits (SHA1withRSA)
 View details

Subject DN	CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB
Subject Key Identifier	a0110a233e96f107ece2af29ef82a57fd030a4b4
Serial	01
Not Before	01 Jan 2004 00:00:00 UTC
Not After	31 Dec 2028 23:59:59 UTC
Key Usage	keyCertSign, cRLSign
Issuer
Issuer DN	CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB
Certification Authority	Sectigo
Validation Type	Self-signed
CRL	http://crl.comodoca.com/AAACertificateServices.crl http://crl.comodo.net/AAACertificateServices.crl
CA certificate	Yes (pathlen unlimited)
Fingerprints
SHA1	d1eb23a46d17d68fd92564c2f1f1601764d8e349
SHA256	d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef4
SPKI SHA256	bd153ed7b0434f6886b17bce8bbe84ed340c7132d702a8f4fa318f756ecbd6f3

Certificate: www.namecheap.com

Leaf certificate www.namecheap.com
Issuer: Sectigo
Not Before: 09 Dec 2024 00:00:00 UTC
Not After: 07 Jan 2026 23:59:59 UTC (expires in 5 months 11 days)
Key: RSA 2048 bits
Signature: SHA256withRSA
 View details

Names	www.namecheap.com namecheap.com
Subject DN	CN=www.namecheap.com, O="Namecheap, Inc.", ST=Arizona, C=US, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US, SERIALNUMBER=4077265
Subject Key Identifier	e96b7fc8ef4b91f69dba9e964ecc0149661881fd
Serial	ba5ba41e3cfc93fdc2ca84fbaebae650
Not Before	09 Dec 2024 00:00:00 UTC
Not After	07 Jan 2026 23:59:59 UTC
Validity period	395 days
Key Usage	digitalSignature, keyEncipherment
Extended Key Usage	serverAuth, clientAuth
Must Staple	No
Issuer
Issuer DN	CN=Sectigo RSA Extended Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB
Certification Authority	Sectigo
Validation Type	Extended Validation (EV)
Authority Key Identifier	keyid:2c69ff80c98790ae34e1b4e74c93859940e9a7b2
Parent Certificate	http://crt.sectigo.com/SectigoRSAExtendedValidationSecureServerCA.crt
CRL	http://crl.sectigo.com/SectigoRSAExtendedValidationSecureServerCA.crl
OCSP	http://ocsp.sectigo.com
Certificate Transparency
Signed Certificate Timestamps	09 Dec 2024 19:38:22 UTC | Google 'Xenon2026h1' log | Qualified 09 Dec 2024 19:38:21 UTC | Let's Encrypt 'Oak2026h1' | Qualified 09 Dec 2024 19:38:22 UTC | Cloudflare 'Nimbus2026' | Qualified
Fingerprints
SHA1	a6ee04935a9a5d0ee81f74a101f0dfef73884b32
SHA256	6dc4a3542f0f84db376afa074ddc5b62e86700a64585b6ef97e454fd5696efc7
SPKI SHA256	cd205685e04db90035304db21aa3392bb8530604d2de79954d902a0480b185fc

Analysis

Good

Strong private key

Good. The private key associated with this certificate is secure.

Good

Strong signature algorithm

Good. This certificate uses a strong signature algorithm.

Good

Certificate matches hostname

Good. The provided certificate matches the expected hostnames.

Good

Certificate dates match

Good. The certificate is valid for use at this point of time.

Good

Certificate has not been revoked

Good. This certificate has not been revoked.

Good

Certificate satisfies Apple's CT compliance requirements

Good. This certificate satisfies Apple's CT requirements at present.

Certificate Trust

Determining whether a certificate is considered valid is a complicated process that depends on the exact configuration of the validating party. For trust to be established, the certificate must form a chain that ends with a trusted root. In this section we evaluate the server's certificate against major root stores.

Certificate Chain

For a server certificate to be valid, it must be presented as part of a complete and valid certificate chain. The last certificate in the chain should be the root and is usually not included in the configuration.

Leaf certificate

www.namecheap.com | 6dc4a35
Not After: 07 Jan 2026 23:59:59 UTC (expires in 5 months 11 days)
Authentication: RSA 2048 bits (SHA256withRSA)
 View details

Names	www.namecheap.com namecheap.com
Subject DN	CN=www.namecheap.com, O="Namecheap, Inc.", ST=Arizona, C=US, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US, SERIALNUMBER=4077265
Subject Key Identifier	e96b7fc8ef4b91f69dba9e964ecc0149661881fd
Serial	ba5ba41e3cfc93fdc2ca84fbaebae650
Not Before	09 Dec 2024 00:00:00 UTC
Not After	07 Jan 2026 23:59:59 UTC
Validity period	395 days
Key Usage	digitalSignature, keyEncipherment
Extended Key Usage	serverAuth, clientAuth
Must Staple	No
Issuer
Issuer DN	CN=Sectigo RSA Extended Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB
Certification Authority	Sectigo
Validation Type	Extended Validation (EV)
Authority Key Identifier	keyid:2c69ff80c98790ae34e1b4e74c93859940e9a7b2
Parent Certificate	http://crt.sectigo.com/SectigoRSAExtendedValidationSecureServerCA.crt
CRL	http://crl.sectigo.com/SectigoRSAExtendedValidationSecureServerCA.crl
OCSP	http://ocsp.sectigo.com
Certificate Transparency
Signed Certificate Timestamps	09 Dec 2024 19:38:22 UTC | Google 'Xenon2026h1' log | Qualified 09 Dec 2024 19:38:21 UTC | Let's Encrypt 'Oak2026h1' | Qualified 09 Dec 2024 19:38:22 UTC | Cloudflare 'Nimbus2026' | Qualified
Fingerprints
SHA1	a6ee04935a9a5d0ee81f74a101f0dfef73884b32
SHA256	6dc4a3542f0f84db376afa074ddc5b62e86700a64585b6ef97e454fd5696efc7
SPKI SHA256	cd205685e04db90035304db21aa3392bb8530604d2de79954d902a0480b185fc