Certificate Analyzer
Analyze and inspect X.509 SSL/TLS certificates. View certificate details including subject, issuer, validity period, extensions, key usage, and fingerprints.
Input
Output
| Attribute | Value |
|---|---|
| No data available | |
| Attribute | Value |
|---|---|
| No data available | |
| Extension | Critical | Value |
|---|---|---|
| No data available | ||
Readme
What is an SSL/TLS certificate?
An SSL/TLS certificate is a digital document that authenticates the identity of a website and enables encrypted connections. When you see a padlock icon in your browser's address bar, it means the site has a valid certificate establishing a secure HTTPS connection.
Certificates contain crucial information including the domain name, issuing authority, validity period, and cryptographic keys. They work on a chain of trust model where Certificate Authorities (CAs) vouch for the authenticity of websites. Understanding certificate details is essential for security professionals, developers, and system administrators who need to verify secure connections and troubleshoot SSL/TLS issues.
Tool description
This certificate analyzer parses and displays detailed information from X.509 SSL/TLS certificates. Upload a certificate file (PEM, CRT, CER, or DER format) or paste PEM-encoded certificate text to instantly view all certificate attributes, extensions, and validity status.
Examples
Input (PEM format):
-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIJAJC1HiIAZAiUMA0Gcg...
-----END CERTIFICATE-----Output:
- Version: v3
- Serial Number: 00:90:B5:1E:22:00:64:08:94
- Signature Algorithm: SHA-256 with RSA
- Subject: CN=example.com, O=Example Inc, C=US
- Issuer: CN=Let's Encrypt Authority X3
- Valid From: Jan 1, 2024, 00:00:00
- Valid To: Apr 1, 2024, 23:59:59
- SHA-256 Fingerprint: A1:B2:C3:D4:E5:F6...
Features
- Multiple input formats: Supports PEM, DER, CRT, and CER certificate files
- Validity checking: Instantly shows if certificate is valid, expired, or not yet valid
- Extension parsing: Decodes Key Usage, Extended Key Usage, Subject Alternative Names, Basic Constraints, and more
- Fingerprint calculation: Computes SHA-1 and SHA-256 fingerprints for certificate verification
- Self-signed detection: Identifies whether a certificate is self-signed or issued by a CA
Use cases
- SSL troubleshooting: Diagnose certificate errors by examining expiration dates, subject names, and certificate chain issues
- Security auditing: Verify that certificates use strong signature algorithms and appropriate key sizes
- Development testing: Inspect self-signed certificates and test certificates during application development
Supported formats
| Format | Extension | Description |
|---|---|---|
| PEM | .pem, .crt | Base64-encoded certificate with header/footer markers |
| DER | .der, .cer | Binary ASN.1 encoded certificate |
| CRT | .crt | Can be either PEM or DER format |
| CER | .cer | Can be either PEM or DER format |
Information displayed
General Information:
- Certificate version (v1, v2, or v3)
- Serial number
- Signature algorithm (SHA-256 with RSA, ECDSA, Ed25519, etc.)
- Public key algorithm and size
Subject and Issuer Details:
- Common Name (CN)
- Organization (O)
- Organizational Unit (OU)
- Country (C), State (ST), Locality (L)
- Email address
- Domain Components (DC)
Validity Period:
- Not Before (valid from)
- Not After (valid to)
- Current validity status
Extensions:
- Basic Constraints (CA certificate indicator)
- Key Usage (Digital Signature, Key Encipherment, etc.)
- Extended Key Usage (Server/Client Authentication, Code Signing)
- Subject Alternative Names (additional domains and IPs)
- Authority/Subject Key Identifiers
- CRL Distribution Points
- Authority Information Access
Fingerprints:
- SHA-1 fingerprint
- SHA-256 fingerprint
Options explained
- File Upload: Drag and drop or browse to select a certificate file from your computer
- Paste Text: Manually paste PEM-encoded certificate content directly into the text area
Tips
- If you receive a certificate chain file, only the first certificate will be parsed
- PEM certificates must include the
-----BEGIN CERTIFICATE-----and-----END CERTIFICATE-----markers - Use SHA-256 fingerprints for certificate pinning as SHA-1 is considered deprecated
- Self-signed certificates will show matching Subject and Issuer fields
FAQ
Q: Why does my certificate show as expired? A: The tool compares the certificate's "Not After" date with the current time. Certificates typically expire after 90 days to 1 year depending on the issuing CA.
Q: What's the difference between PEM and DER format? A: PEM is Base64-encoded text with header/footer markers, making it human-readable and easy to copy. DER is the binary equivalent, more compact but not viewable as text.
Q: What does "Self-Signed" mean? A: A self-signed certificate is one where the Subject and Issuer are identical, meaning it wasn't issued by a trusted Certificate Authority. These are common in development but cause browser warnings in production.
Q: Why can't I see the private key? A: This tool only analyzes the public certificate. Private keys are stored separately and should never be shared or uploaded to online tools.