Inspector de Cadena de Certificados
Inspecciona cadenas de certificados PEM para expiración, algoritmos débiles y problemas de completitud
Inspecting X.509 Certificate Chains for Security Issues
TLS certificate chains establish trust between a client and server — the server presents its leaf certificate along with intermediate certificates that chain up to a trusted root CA. A broken chain prevents browsers from verifying server identity, expired certificates trigger security warnings that drive users away, and weak signature algorithms (SHA-1, MD5) or insufficient key sizes leave connections vulnerable to forgery. The Certificate Chain Inspector analyzes your PEM-encoded certificate chain to detect expiration, weak cryptography, incomplete chains, and ordering issues before they cause outages or security incidents.
Paste your PEM certificate chain (one or more certificates in PEM format) to receive chain completeness analysis, expiration status, algorithm strength evaluation, key size assessment, and ordering validation. Each finding includes severity classification and specific remediation guidance. All processing happens client-side — your certificates and private data never leave your browser.
Chain Completeness and Ordering
A valid certificate chain must form a continuous trust path from leaf to root:
- Missing intermediates: If the chain only contains the leaf certificate, some clients cannot build the path to a trusted root and will reject the connection
- Incorrect ordering: Certificates must be ordered leaf-first, followed by intermediates in order up to the root — reversed chains may work in some implementations but fail in others
- Extraneous certificates: Including unrelated certificates adds TLS handshake overhead without providing trust
- Self-signed leaf: A leaf certificate that is self-signed (issuer equals subject) will not be trusted by browsers unless explicitly added to their trust store
Expiration and Validity Windows
The inspector checks temporal validity of each certificate in the chain:
- Already expired: Certificates past their notAfter date — browsers display security warnings or refuse connection entirely
- Expiring soon: Certificates expiring within 30 days need immediate renewal planning
- Not yet valid: Certificates with a notBefore date in the future (clock skew or premature deployment)
- Excessive validity: Leaf certificates valid for more than 398 days violate CA/Browser Forum requirements
Intermediate CA certificates typically have longer validity periods (5-10 years) while leaf certificates should be 90 days to 1 year for security best practices.
Cryptographic Strength Assessment
The inspector evaluates the cryptographic algorithms and key sizes used in each certificate:
- Signature algorithm: SHA-256 or SHA-384 recommended; SHA-1 is deprecated and MD5 is broken
- RSA key size: Minimum 2048 bits required; 4096 bits recommended for CAs
- ECDSA curves: P-256 (secp256r1) or P-384 recommended; P-521 offers diminishing returns
- Certificate version: X.509 v3 required for modern TLS with extensions
Certificates using SHA-1 signatures are rejected by all major browsers since 2017. The inspector flags any certificate using deprecated algorithms regardless of its position in the chain.
Code Examples
Certificate Chain Analysis Output
# Chain analysis for: example.com
# Certificate 1 (Leaf):
# Subject: CN=example.com
# Issuer: CN=Let's Encrypt Authority X3
# Valid: 2024-01-15 to 2024-04-14 (90 days)
# Key: RSA 2048-bit
# Signature: SHA-256
# Status: ✓ Valid (expires in 45 days)
# Certificate 2 (Intermediate):
# Subject: CN=Let's Encrypt Authority X3
# Issuer: CN=DST Root CA X3
# Valid: 2016-03-17 to 2021-03-17
# Key: RSA 2048-bit
# Signature: SHA-256
# Status: ✗ EXPIRED (expired 2021-03-17)
# Findings:
# - CRITICAL: Intermediate certificate expired — replace with current chain
# - WARN: Leaf expires in 45 days — schedule renewal
# - INFO: Chain ordering is correct (leaf → intermediate)
# Security score: 4/10