# PKI Viewer — Examples

> Concrete PKI Viewer walkthroughs: inspect a certificate, spot expiry, analyse a chain, extract P7M content, open PKCS#12, and double-check a CSR.

Source: https://www.jpkc.com/db/en/tools/pki/examples/

Back to overview: [PKI Viewer](https://www.jpkc.com/db/en/tools/pki/) · Open the live tool: [www.jpkc.com/tools/pki/](https://www.jpkc.com/tools/pki/)

This page shows the **PKI Viewer** through concrete walkthroughs. How the individual functions work in detail is covered in the [manual](https://www.jpkc.com/db/en/tools/pki/manual/).

## Example 1: Quickly inspect a certificate

Goal: read off who a certificate is for and how long it's valid from a PEM block.

1. In the **PEM Decoder** tab, paste the certificate text (`-----BEGIN CERTIFICATE-----` …) into the input field. If you don't have one handy, click **Example** — that loads a self-signed sample certificate.
2. Click **Decode**.

**Result:** a certificate card appears with subject, issuer, serial number, and the validity period. Top right, a badge tells you instantly whether the certificate is **Valid**, **Expired**, **Not Yet Valid**, or in how many days it expires. With the self-signed sample you also see the **Self-signed** badge, because subject and issuer are identical.

## Example 2: Check a server certificate's remaining life and hostnames

Goal: before a deployment, verify which domains a certificate covers and whether it's about to expire.

1. Load the server certificate as `.pem`/`.crt` via **File Analyzer → Browse Files** — or export it from your browser via the padlock icon and drop it in here.
2. Look at the card.

**Result:** under **Subject Alt Names** the covered hostnames appear as badges (`DNS:www.example.com`, `DNS:example.com` …). The **Not After** field is colour-coded: a yellow **Expires in N days** means you should kick off renewal. Under **Extended Key Usage**, `serverAuth` confirms it's intended as a TLS server certificate.

## Example 3: Analyse a certificate chain

Goal: understand a chain made of an end-entity and a CA certificate.

1. In the **File Analyzer**, open the **Example** dropdown and choose **Certificate Chain (2 certs)**. (Alternatively, paste your own chain — several `-----BEGIN CERTIFICATE-----` blocks in sequence.)

**Result:** the tool counts the certificates and renders a card for each. The first is the end-entity certificate (`www.example.com`), the second carries the **CA** badge (Basic Constraints: `CA: Yes`). You can spot the relationship by the fact that the **Issuer** of the end-entity certificate matches the **Subject** of the CA certificate. Via **Show PEM** / **Copy PEM** you can pull out each certificate individually — handy for adding just the CA to a trust store, for instance.

## Example 4: Get the content out of a signed P7M file

Goal: reveal and download the document embedded in a `.p7m` file.

1. In the **File Analyzer**, open the **Example** dropdown and choose **Signed P7M (with content)**. (Or drop in your own `.p7m`/`.p7s` file.)

**Result:** the tool recognises the PKCS#7 container, lists the contained signing certificate, and shows an **Encapsulated Content** card. For the sample file that's a text document — you see type, size, and a preview and can save it via **Download**. If the embedded content is a MIME email, the tool instead shows the headers (From/To/Subject/Date), the text and HTML parts, and the attachments, which you can download individually; the raw email can be saved as `.eml`.

## Example 5: Open a PKCS#12 container

Goal: view a certificate and private key from a password-protected `.p12`/`.pfx` file.

1. In the **File Analyzer**, drop in the `.p12` or `.pfx` file or select it via **Browse Files**.
2. The **PKCS#12 Password** row appears. Enter the container password and click **Open** (or press Enter).

**Result:** with the correct password the tool reports how many certificates and private keys it found and shows them as cards. The key card states the bit length for RSA and offers a PEM export. With a wrong password you get "Wrong password. Please try again." — everything stays local, so you can try as often as you like.

## Example 6: Double-check a CSR before submitting

Goal: verify that a certificate signing request contains the right data before it goes to the CA.

1. In the **PEM Decoder**, paste the CSR text (`-----BEGIN CERTIFICATE REQUEST-----` …).
2. Click **Decode**.

**Result:** the CSR card shows the **Subject** (the requested DN fields like `CN`, `O`, `C`), the bit length of the public RSA key, and the signature algorithm. If Subject Alternative Names are stored in the CSR, they appear as `DNS:` badges. That way a typo in the common name or a forgotten domain stands out before the certificate is issued.

---

There's more on the individual functions in the [manual](https://www.jpkc.com/db/en/tools/pki/manual/), strategic advice and pitfalls in the [tips & tricks](https://www.jpkc.com/db/en/tools/pki/tips/). To get going right away, head to the [tool](https://www.jpkc.com/tools/pki/).