SSL Certificate Checker
Paste a PEM certificate (`-----BEGIN CERTIFICATE-----`). We decode the base64 to DER, walk the ASN.1 structure, and extract: version, serial, signature algorithm, full subject + issuer DNs (CN, O, OU, C, …), validity period with days-till-expiry, public key algorithm + RSA bit length or EC curve, Subject Alternative Names (DNS + IP), key usage, extended key usage, basic constraints, and a SHA-256 fingerprint over the full DER. 100% offline.
What is the SSL Certificate Checker?
SSL Certificate Checker is a hand-rolled X.509 parser — no `node-forge`, no `pkijs`, no `asn1.js`. PEM is decoded to raw DER bytes, then we walk the ASN.1 structure to extract every field a TLS engineer cares about. Subject and issuer Distinguished Names are unpacked into their RDN attribute-value pairs (CN, O, OU, C, L, ST, …) and re-joined into the standard comma-separated form. The validity period parses both UTCTime (pre-2050) and GeneralizedTime formats and computes the days-till-expiry as a primary headline number. The SubjectPublicKeyInfo is inspected: RSA keys get their modulus length read out of the inner DER for a precise bit count; EC keys get their curve OID resolved to the human-readable name (prime256v1 / secp384r1 / secp521r1). v3 extensions parsed: SubjectAltName (DNS, IP, email, URI), BasicConstraints (CA flag), KeyUsage (9-bit flags), ExtendedKeyUsage (serverAuth, clientAuth, codeSigning, etc.). SHA-256 fingerprint of the full DER is computed via Web Crypto and rendered as colon-separated hex. Findings panel flags expired/expiring certs, sub-2048-bit RSA, SHA-1 signatures (deprecated since 2017), and missing SAN.
How to use it
- Get a PEM: `openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509`.
- Paste between (and including) the BEGIN/END CERTIFICATE markers.
- Read the headline: days till expiry, total bytes, SAN count, key bits.
- Scroll through Findings for any errors or warnings.
- Use the detail panel for subject, issuer, validity dates, key info and SHA-256 fingerprint.
Benefits
- Hand-rolled ASN.1 DER parser — no heavy third-party dependency.
- Full subject + issuer DN expansion (CN, O, OU, C, L, ST, emailAddress, etc.).
- Validity period parses both UTCTime and GeneralizedTime; computes days-till-expiry.
- RSA key bit length read precisely from the modulus DER (not estimated from PEM size).
- EC curve name resolved (P-256 / P-384 / P-521).
- SubjectAltName with DNS, IP, email and URI variants surfaced.
- Key usage and Extended Key Usage flag arrays decoded.
- SHA-256 fingerprint computed via Web Crypto over the raw DER.
- Warnings for expired certificates, sub-2048-bit RSA, SHA-1 signatures, missing SAN.
- Runs 100% in your browser — your private cert never leaves your machine.
Frequently asked questions
Can I paste a PFX or DER directly?
Not yet — only PEM (base64-armored). Convert with: `openssl x509 -inform DER -in cert.der -out cert.pem`. PFX requires extracting the cert with: `openssl pkcs12 -in cert.pfx -nokeys -out cert.pem`.
Does it fetch certificates from a URL?
No — the site is statically exported and the browser's same-origin policy would block third-party fetches. Use `openssl s_client` or your browser's certificate viewer to extract the PEM, then paste here.
Why does it warn about my private root certificate?
We treat sub-2048 RSA, SHA-1 signatures, and missing SAN as warnings because they're issues on the public web. Internal CAs sometimes intentionally use older configurations — read the finding in context.
Can it validate the chain?
No — only the single certificate you paste. To validate the chain, paste each cert in order and inspect their issuer/subject DNs to verify the linkage.
What if my PEM has a passphrase?
X.509 certificates are not encrypted — only private keys are. If your file is `-----BEGIN ENCRYPTED PRIVATE KEY-----`, that's the wrong kind of PEM; you want the certificate.
Why is the fingerprint computed async?
Web Crypto's `subtle.digest` is Promise-based. The fingerprint shows shortly after parse, indicated by being the only field below the synchronous output.
Does it handle multi-cert PEMs?
Only the first certificate block. Split chained PEMs into separate files and inspect one at a time.
What ASN.1 features are not supported?
Indefinite-length encoding (BER, not DER) is rejected — TLS certificates always use DER. Some rarely-used extension OIDs are surfaced as raw OIDs rather than named.
Why include a SHA-256 fingerprint?
The standard way to pin a certificate or verify it matches what your browser sees. Compare the value here against your browser's certificate viewer (Chrome: Lock icon → Connection is secure → Certificate is valid).
What's a 'SAN' and why does it matter?
Subject Alternative Name — the list of hostnames the cert is valid for. Modern browsers ignore the Common Name in the Subject DN; only SAN entries count for hostname validation. Missing SAN = invalid cert for any browser since 2017.
Is anything uploaded?
No. PEM decoding, DER parsing and SHA-256 fingerprint all run in your browser — your certificate (and especially any private cert) never leaves your machine.
Related tools
See all developer toolsEncryption Key Generator
Generate AES, RSA, ECDSA, ECDH and HMAC keys via Web Crypto.
JWT Decoder
Decode, inspect and verify JSON Web Tokens.
SPF Record Checker
Parse RFC 7208 SPF records — qualifiers, mechanisms, 10-lookup limit.
CDN Checker
Fingerprint the CDN from response headers — Cloudflare, Fastly, Akamai, CloudFront, Vercel, more.