PEM Toolkit - Split, Fingerprint & TLSA/DANE Generator

PEM Toolkit (Split, Fingerprint, SPKI Pin, TLSA)

Paste PEM (certs/keys/CSRs) here

What Is PEM?
#

PEM (Privacy-Enhanced Mail) is a Base64-encoded format for storing cryptographic objects like certificates, private keys, and certificate signing requests. PEM files use distinctive headers and footers:

1
2
3
-----BEGIN CERTIFICATE-----
MIIBxTCCAW...
-----END CERTIFICATE-----

Common PEM Block Types
#

CERTIFICATE: X.509 certificates
PRIVATE KEY: PKCS#8 private keys
RSA PRIVATE KEY: PKCS#1 RSA private keys
CERTIFICATE REQUEST: CSRs (Certificate Signing Requests)
PUBLIC KEY: SPKI-encoded public keys

Available Functions
#

Split PEM Bundle
#

Separate a PEM file containing multiple blocks (e.g., leaf certificate + intermediates) into individual blocks for inspection or use.

Compute Fingerprints / Pins
#

For certificates, compute:

SHA-256 Fingerprint: Standard certificate fingerprint
SPKI Pin: Subject Public Key Info hash used for certificate pinning (RFC 7469)
TLSA/DANE Records: DNS-based Authentication of Named Entities record data

Privacy & Security
#

This tool runs entirely in your browser:

No Server Communication: Your PEM data never leaves your device
No Storage: Nothing is saved to localStorage, cookies, or servers
node-forge: Uses the widely-used node-forge library for certificate parsing

Frequently Asked Questions
#

What is SPKI pinning?
#

SPKI (Subject Public Key Info) pinning associates a host with its expected public key. The pin is a SHA-256 hash of the certificate’s public key info, encoded in Base64. It’s used in HTTP Public Key Pinning (HPKP) and similar mechanisms.

What are TLSA/DANE records?
#

TLSA records are DNS records that associate a TLS certificate or public key with the domain name. DANE (DNS-based Authentication of Named Entities) uses DNSSEC to publish and verify these associations, providing an alternative to traditional CA-based trust.

What do the TLSA mode numbers mean?
#

The three numbers represent:

Certificate Usage: 3 = DANE-EE (end entity), 2 = DANE-TA (trust anchor)
Selector: 1 = SPKI (public key info)
Matching Type: 1 = SHA-256, 2 = SHA-512

Related Tools
#

SSL Tools - Certificate validation, chain verification, and CSR generation
SSH Key Generator - Generate SSH key pairs for server access
GPG Key Generator - Generate GPG/PGP key pairs for signing and encryption

PEM Toolkit - Split, Fingerprint & TLSA/DANE Generator

Detected Blocks

SPKI Pin (sha256)

TLSA (DANE) Helper

What Is PEM?
#

Common PEM Block Types
#

Available Functions
#

Split PEM Bundle
#

Compute Fingerprints / Pins
#

Privacy & Security
#

Frequently Asked Questions
#

What is SPKI pinning?
#

What are TLSA/DANE records?
#

What do the TLSA mode numbers mean?
#

Related Tools
#

Detected Blocks

SPKI Pin (sha256)

TLSA (DANE) Helper

What Is PEM?#

Common PEM Block Types#

Available Functions#

Split PEM Bundle#

Compute Fingerprints / Pins#

Privacy & Security#

Frequently Asked Questions#

What is SPKI pinning?#

What are TLSA/DANE records?#

What do the TLSA mode numbers mean?#

Related Tools#

What Is PEM?
#

Common PEM Block Types
#

Available Functions
#

Split PEM Bundle
#

Compute Fingerprints / Pins
#

Privacy & Security
#

Frequently Asked Questions
#

What is SPKI pinning?
#

What are TLSA/DANE records?
#

What do the TLSA mode numbers mean?
#

Related Tools
#