Certificate Chain Inspector

Inspect PEM certificate chains for expiration, weak algorithms, key size issues, and chain completeness — with security scoring

Enter PEM-encoded certificates as they appear in .crt or .pem files. Include all chain certificates for full analysis.

What is the Certificate Chain Inspector?

The Certificate Chain Inspector is a client-side security tool that analyzes PEM-encoded X.509 certificate chains for common issues that cause TLS failures and security vulnerabilities. It detects expired certificates, weak signature algorithms, insufficient key sizes, missing intermediate CAs, and chain ordering problems — then calculates a security score and provides actionable recommendations.

How to Use

  1. Paste one or more PEM-encoded certificates into the input field
  2. Click "Inspect Chain" or wait for automatic processing
  3. Review each certificate's details: subject, issuer, validity, algorithm, and key size
  4. Check findings with severity ratings (Critical, High, Medium, Low)
  5. Export a full report in JSON or Markdown format

Example: Expired Certificate with Weak Algorithm

A certificate using SHA-1 that has already expired would produce two critical findings:

-----BEGIN CERTIFICATE-----
MIICpDCCAYwCCQDMq2inYDfBQjANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDDAls
b2NhbGhvc3QwHhcNMTUwMTAxMDAwMDAwWhcNMTYwMTAxMDAwMDAwWjAUMRIwEAYD
VQQDDAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7
...
-----END CERTIFICATE-----

What Security Issues Are Detected?

  • Expired certificates — Certificates past their notAfter date cause TLS handshake failures
  • Expiring soon — Certificates expiring within 30 days need urgent renewal
  • Not yet valid — Certificates with a future notBefore date are not yet active
  • Weak algorithms (SHA-1, MD5, MD2) — Cryptographically broken, vulnerable to collision attacks
  • Small RSA keys (< 2048 bits) — Potentially factorable with modern hardware
  • Incomplete chain — Missing intermediate CA certificates cause client verification failures
  • Chain ordering — Incorrect certificate order causes issues in some TLS implementations
  • Self-signed leaf — Not trusted by browsers without explicit exception

Security Scoring

Each chain receives a score from 0 to 100 based on detected findings. Severity weights are: Critical (25 points), High (15 points), Medium (8 points), Low (3 points). The score maps to a letter grade: A (90+), B (75+), C (60+), D (40+), F (below 40). A chain with no issues receives a perfect 100/A.

Understanding Certificate Chains

A certificate chain (or chain of trust) connects your server's leaf certificate to a trusted root Certificate Authority through one or more intermediate CA certificates. The proper order is:

  1. Leaf certificate — Your server's certificate (issued to your domain)
  2. Intermediate CA(s) — One or more certificates that link to the root
  3. Root CA — The trust anchor (optional, browsers have it pre-installed)

Best Practices for TLS Certificates

  • Use SHA-256 or stronger signature algorithms (SHA256withRSA, ECDSA-SHA256)
  • Use RSA 2048+ or ECDSA P-256 for key generation
  • Always include intermediate certificates in your server configuration
  • Set up automated renewal (Let's Encrypt, ACME clients) to avoid expiration
  • Monitor certificate expiry with at least 30 days advance warning
  • Keep chain certificates in the correct order (leaf first, root last)

Privacy and Security

All analysis happens entirely in your browser using JavaScript. Your certificates — which contain domain names, organization details, and cryptographic keys — are never transmitted to any server. No data is stored, logged, or shared. This makes it safe to inspect production certificates without exposing infrastructure details.

Frequently Asked Questions

What does the Certificate Chain Inspector check?

The Certificate Chain Inspector analyzes PEM-encoded X.509 certificates for validity (expired or not-yet-valid dates), weak signature algorithms (MD2, MD5, SHA-1), insufficient key sizes (RSA < 2048 bits, EC < 256 bits), chain completeness (missing intermediates), chain ordering, and self-signed leaf certificates. It calculates a security score and provides actionable recommendations.

How is the security score calculated?

The score starts at 100 and deducts points based on finding severity: Critical issues (expired certificates, weak algorithms) deduct 25 points, High issues (expiring soon, weak keys) deduct 15, Medium issues (chain ordering, missing intermediates) deduct 8, and Low issues deduct 3. The final score maps to a letter grade: A (90+), B (75+), C (60+), D (40+), F (below 40).

Is my certificate data sent to any server?

No. All certificate parsing and analysis happens entirely in your browser using JavaScript. Your certificates and private keys never leave your device. Nothing is stored, logged, or transmitted to any server.

What format should the input be?

Enter one or more PEM-encoded X.509 certificates. Each certificate starts with -----BEGIN CERTIFICATE----- and ends with -----END CERTIFICATE-----. You can paste an entire chain (leaf + intermediates + root) or individual certificates. The tool supports both 'CERTIFICATE' and 'X509 CERTIFICATE' headers.

What is a certificate chain and why does order matter?

A certificate chain connects your leaf (server) certificate to a trusted root CA through intermediate certificates. The correct order is: leaf certificate first, followed by each intermediate CA that issued it, with the root CA last (optional). Incorrect ordering can cause TLS handshake failures in some clients.

Why are SHA-1 and MD5 algorithms flagged as critical?

SHA-1 and MD5 are cryptographically broken — practical collision attacks exist that allow forging certificates. All major browsers and CAs deprecated SHA-1 certificates in 2017. Any certificate still using SHA-1 or MD5 signatures should be reissued immediately with SHA-256 or stronger.

What key size is considered secure?

For RSA keys, 2048 bits is the minimum recommended by NIST and all major CAs. For elliptic curve (EC) keys, P-256 (256 bits) provides equivalent security to RSA 3072. Keys smaller than these thresholds are flagged because they can potentially be factored with modern computing resources.

Can I inspect private keys with this tool?

The tool only processes CERTIFICATE blocks, not private keys. If your PEM file includes private key blocks (BEGIN PRIVATE KEY or BEGIN RSA PRIVATE KEY), they are ignored during inspection. For security, avoid pasting private keys into any tool — even client-side ones.

What does 'chain incomplete' mean?

A single non-self-signed certificate without its issuing CA certificates means the chain is incomplete. Web servers must send all intermediate certificates so clients can build a trust path to the root CA. Missing intermediates cause TLS errors in browsers and API clients that don't cache intermediates.

Related Tools

JWT Decoder

Decode JWT tokens locally in your browser to inspect headers, claims, and token expiration

Security

JWT Signature Verifier

Verify JWT token signatures with key validation and expiration checking

Api Tools

HMAC Generator

Generate HMAC signatures using SHA-256, SHA-384, and SHA-512 algorithms

Security

Hash Generator

Generate SHA hashes for text and files to verify integrity and compare cryptographic fingerprints

Security