SSL Tools - Certificate Validator, Chain Verifier & Key Generator

What Are SSL/TLS Certificates?

SSL/TLS certificates are digital documents that authenticate the identity of a website and enable encrypted connections. They form the foundation of secure internet communication, ensuring that data transmitted between browsers and servers remains private and tamper-proof.

Certificate Components

An X.509 certificate contains several key elements:

1. Subject: The entity the certificate identifies (e.g., domain name)
2. Issuer: The Certificate Authority (CA) that issued the certificate
3. Validity Period: When the certificate is valid (Not Before / Not After)
4. Public Key: Used for encryption and signature verification
5. Subject Alternative Names (SANs): Additional hostnames covered by the certificate
6. Extensions: Additional metadata like key usage and constraints

Available Tools

SSL Certificate Validator

Paste a PEM-encoded certificate to analyze its structure, validity, and common issues:

• Validity Check: Verify if the certificate is within its valid date range
• Hostname Match: Test if a hostname matches the certificate’s SAN or CN
• Key Strength Analysis: Detect weak RSA key sizes
• Extension Review: See all certificate extensions
• Lint Findings: Actionable diagnostics for common misconfigurations

SSL Chain Verifier

Debug certificate chain issues by pasting a PEM bundle:

• Chain Path Resolution: Visualize the certificate chain from leaf to root
• Signature Verification: Verify cryptographic links between certificates
• Missing Intermediate Detection: Identify broken chains
• CA Constraint Checks: Ensure proper basicConstraints settings

CSR Generator

Create Certificate Signing Requests with custom subject and SAN entries:

• Key Types: RSA (2048/3072/4096) or ECDSA (P-256/P-384/P-521)
• SAN Support: DNS, IP, URI, and EMAIL types
• Hash Algorithms: SHA-256, SHA-384, SHA-512
• Key Pair Output: CSR, private key, and public key in PEM format

CSR Decoder

Decode and inspect existing Certificate Signing Requests:

• Subject Analysis: View the requested subject DN
• Public Key Info: See key type and size
• Extension Requests: Review requested SANs and extensions

SSH Key Generator

Generate SSH key pairs using browser WebCrypto:

• Key Types: RSA, ECDSA, Ed25519 (browser support varies)
• OpenSSH Format: Public key in standard OpenSSH format
• Fingerprint: SHA-256 fingerprint matching ssh-keygen -lf output

GPG/PGP Key Generator

Create OpenPGP key pairs for signing and encryption:

• Key Types: RSA (2048-4096) or ECC (Curve25519, P-256, P-384, P-521)
• Expiration Options: 1 year, 2 years, or never
• Passphrase Protection: Optional encryption of private key
• ASCII Armored Output: Standard PGP format

PEM Toolkit

Split PEM bundles and compute fingerprints:

• Block Detection: Identify all PEM blocks in a bundle
• SPKI Pin Calculation: Generate certificate pinning hashes
• TLSA/DANE Records: Compute DANE DNS record data

Privacy & Security

All tools on this page run entirely in your browser:

• No Server Communication: Your certificates, keys, and CSRs never leave your device
• No Storage: Nothing is saved to localStorage, cookies, or servers
• File Uploads: Files are read into memory only
• Clear Functions: Quickly remove sensitive data from the page

Common Use Cases

Debugging TLS Handshake Failures

When clients report “certificate error” or “SSL handshake failed”:

1. Export the server’s certificate chain: openssl s_client -connect host:443 -showcerts
2. Paste the PEM bundle into the Chain Verifier
3. Look for missing intermediates or signature verification failures
4. Check if any certificates are expired or not yet valid

Validating Certificate Before Deployment

Before installing a new certificate:

1. Paste the certificate PEM into the Validator
2. Enter the target hostname to verify SAN/CN match
3. Check expiration dates and key strength
4. Review lint findings for potential issues

Creating CSRs for Let’s Encrypt or CA Requests

When you need a CSR for certificate renewal:

1. Use the CSR Generator with your domain’s subject DN
2. Add all required SANs (including www subdomain if needed)
3. Copy the CSR and submit to your CA
4. Store the private key securely

Generating SSH Keys for Server Access

For quick SSH key pair generation:

1. Select key type (RSA 3072+ or Ed25519 recommended)
2. Add an optional comment for identification
3. Copy the public key to ~/.ssh/authorized_keys on the server
4. Save the private key securely

OpenSSL Command Reference

Common commands for certificate operations:

# View certificate details
openssl x509 -in cert.pem -noout -text

# Verify certificate chain
openssl verify -CAfile root.pem -untrusted intermediate.pem leaf.pem

# Fetch certificate from server
openssl s_client -connect host:443 -servername host -showcerts

# Decode CSR
openssl req -in request.csr -noout -text

# Generate RSA private key
openssl genrsa -out key.pem 3072

# Generate CSR from existing key
openssl req -new -key key.pem -out request.csr

# Convert PEM to DER
openssl x509 -in cert.pem -outform DER -out cert.der

Frequently Asked Questions

Is it safe to paste certificates into this tool?

Yes, public certificates are safe to paste anywhere. The tool never communicates with any server - everything runs in your browser. However, you should never paste private keys into any web tool, including this one. For private key operations, use local tools like openssl or ssh-keygen.

Why does chain verification fail?

Common causes of chain verification failure:

• Missing intermediate: The server isn’t sending all required intermediate certificates
• Wrong order: Certificates are not in leaf → intermediate → root order
• Expired certificate: One or more certificates in the chain has expired
• Self-signed without trust: A self-signed certificate isn’t marked as a trust anchor

What’s the difference between CN and SAN?

CN (Common Name) was historically used for the domain name in certificates. SAN (Subject Alternative Name) is the modern standard for specifying hostnames. Most TLS clients now require the hostname to be in SAN; CN-only certificates will fail in many browsers.

Why is my RSA 2048 key flagged?

RSA 2048 remains widely supported but many organizations now prefer 3072+ for new certificates due to longer certificate lifetimes. The lint finding is informational, not an error.

Can I generate production keys with this tool?

While the keys are cryptographically valid, it’s recommended to generate production keys using local tools (openssl, ssh-keygen, gpg) that don’t involve a browser environment. Use this tool for testing and learning.

Related Tools

Explore our other DevOps tools:

• Password Generator - Generate cryptographically secure passwords
• Regex Lab - Test and debug regular expressions
• kubectl Builder - Visual kubectl command builder
• JWT Tools - Decode and create JSON Web Tokens

Need help? All code is open-source. Visit our GitHub or contact us with questions or feedback.