Check in JavaScript if an SSL Certificate is valid

Question

Is there a way to check in JavaScript if given a host its SSL certificate is valid? (non blocking)

In my case, I want to display: "you can also use https://.." if via JavaScript I can make a request to https://my_url without being asked to accept an untrusted certificate.

Can this be done asynchronously?

Answer 1

The question doesn't make sense. You can't get the server's SSL certificate without opening an SSL connection to it, and once you've done that, telling the user they can do that too is a bit pointless.

Answer 2

Take a look here: https://support.mozilla.org/pl/questions/923494

<img src="https://the_site/the_image" onerror="redirectToCertPage()">

This solution is tested and working in current versions of FF and Chrome (as of 2022):

<script> var sslCertTrusted = false; </script>
<script src="https://example.com/ssltest.js"></script>
<script> 
    if (!sslCertTrusted) 
    {
        alert('Sorry, you need to install the certificate first.');
        window.location.replace('http://example.com/cert_install_instructions/');
    }
    else
    {
        // alert('Redirecting to secure connection')
        window.location.replace('https://example.com/');
    }
<script>

You of course need to make your web server return this code under the URL https://example.com/ssltest.js:

sslCertTrusted = true;

I'm not exactly sure about the details. But I've seen similar technology used to detect adblocking etc. You may need to piggyback on the window object maybe, if the variable can't be modified by another script, but generally making the above proof of concept work is left as an exercise to the reader.

Answer 3

What I've found up to now - it is possible with Firefox, don't know yet about other browsers:

https://developer.mozilla.org/En/How_to_check_the_security_state_of_an_XMLHTTPRequest_over_SSL

Answer 4

The straight answer is no. Javascript does not provide any means of validating certificates. This is a job left to the browser.

A better approach to this problem is from the server side. If you are controlling the site, than you can render down a variable on the page with information gleaned on the server side.

In .Net something like

var canSecure = <%= MySiteHasSsl ? "true" : "false" %>;
if (canSecure) {
    if (confirm("This site supports SSL encryption. Would you like to switch to a secure connection?")) {
        location.href = "https://mysite.com";
    }
}

Answer 5

I'm not quite sure what your use case is. If you are just trying to "check ahead of time" before you provide a link to someone for another website then the other answers here will be more relevant than mine.

If you are expecting mysite.com to use an SSL certificate that isn't trusted by default in the browser but you have another way of knowing it should be trusted, then you could use a JavaScript TLS implementation to make cross-domain requests to that other site. However, this requires that your website be served on https and trusted in the browser to begin with and the other site to provide a Flash cross-domain policy file.

If this sounds anything like what you want to do, check out the open source Forge project at github:

http://github.com/digitalbazaar/forge/blob/master/README.md

Answer 6

Useful notice: navigator.clipboard will be undefined on Chrome browsers if there's no valid SSL certificate.

Answer 7

You could run a server elsewhere that handles certificate checks based on whatever you want, then your javascript application sends a request to that server asking for a checkup. This does require that you have at least one server somewhere in the world that you can trust.

A query of this nature can be done in the background quite easily.