JPKCom DB

PKI Viewer — Examples

Concrete PKI Viewer walkthroughs: inspect a certificate, spot expiry, analyse a chain, extract P7M content, open PKCS#12, and double-check a CSR.

Back to overview: PKI Viewer · Open the live tool: www.jpkc.com/tools/pki/

This page shows the PKI Viewer through concrete walkthroughs. How the individual functions work in detail is covered in the manual.

Example 1: Quickly inspect a certificate

Goal: read off who a certificate is for and how long it's valid from a PEM block.

  1. In the PEM Decoder tab, paste the certificate text (-----BEGIN CERTIFICATE----- …) into the input field. If you don't have one handy, click Example — that loads a self-signed sample certificate.
  2. Click Decode.

Result: a certificate card appears with subject, issuer, serial number, and the validity period. Top right, a badge tells you instantly whether the certificate is Valid, Expired, Not Yet Valid, or in how many days it expires. With the self-signed sample you also see the Self-signed badge, because subject and issuer are identical.

Example 2: Check a server certificate's remaining life and hostnames

Goal: before a deployment, verify which domains a certificate covers and whether it's about to expire.

  1. Load the server certificate as .pem/.crt via File Analyzer → Browse Files — or export it from your browser via the padlock icon and drop it in here.
  2. Look at the card.

Result: under Subject Alt Names the covered hostnames appear as badges (DNS:www.example.com, DNS:example.com …). The Not After field is colour-coded: a yellow Expires in N days means you should kick off renewal. Under Extended Key Usage, serverAuth confirms it's intended as a TLS server certificate.

Example 3: Analyse a certificate chain

Goal: understand a chain made of an end-entity and a CA certificate.

  1. In the File Analyzer, open the Example dropdown and choose Certificate Chain (2 certs). (Alternatively, paste your own chain — several -----BEGIN CERTIFICATE----- blocks in sequence.)

Result: the tool counts the certificates and renders a card for each. The first is the end-entity certificate (www.example.com), the second carries the CA badge (Basic Constraints: CA: Yes). You can spot the relationship by the fact that the Issuer of the end-entity certificate matches the Subject of the CA certificate. Via Show PEM / Copy PEM you can pull out each certificate individually — handy for adding just the CA to a trust store, for instance.

Example 4: Get the content out of a signed P7M file

Goal: reveal and download the document embedded in a .p7m file.

  1. In the File Analyzer, open the Example dropdown and choose Signed P7M (with content). (Or drop in your own .p7m/.p7s file.)

Result: the tool recognises the PKCS#7 container, lists the contained signing certificate, and shows an Encapsulated Content card. For the sample file that's a text document — you see type, size, and a preview and can save it via Download. If the embedded content is a MIME email, the tool instead shows the headers (From/To/Subject/Date), the text and HTML parts, and the attachments, which you can download individually; the raw email can be saved as .eml.

Example 5: Open a PKCS#12 container

Goal: view a certificate and private key from a password-protected .p12/.pfx file.

  1. In the File Analyzer, drop in the .p12 or .pfx file or select it via Browse Files.
  2. The PKCS#12 Password row appears. Enter the container password and click Open (or press Enter).

Result: with the correct password the tool reports how many certificates and private keys it found and shows them as cards. The key card states the bit length for RSA and offers a PEM export. With a wrong password you get "Wrong password. Please try again." — everything stays local, so you can try as often as you like.

Example 6: Double-check a CSR before submitting

Goal: verify that a certificate signing request contains the right data before it goes to the CA.

  1. In the PEM Decoder, paste the CSR text (-----BEGIN CERTIFICATE REQUEST----- …).
  2. Click Decode.

Result: the CSR card shows the Subject (the requested DN fields like CN, O, C), the bit length of the public RSA key, and the signature algorithm. If Subject Alternative Names are stored in the CSR, they appear as DNS: badges. That way a typo in the common name or a forgotten domain stands out before the certificate is issued.

There's more on the individual functions in the manual, strategic advice and pitfalls in the tips & tricks. To get going right away, head to the tool.