Probes a hostname for cert lifetime, renewal cadence, CT log inclusion, public-key reuse across renewals (the often-missed harvest-now-decrypt-later amplifier — same private key reissued via cert renewal = same exposure), issuer signal, and SAN bloat. Pairs with the PQC Analyzer for the cipher / KEX side and the Security Headers Audit for the HTTP-layer complement.
Live TLS probe via the existing PQC probe endpoint, plus crt.sh for the historical CT-log issuance trail.