# PKI Viewer — Manual > Full reference for the PKI Viewer: File Analyzer, PEM Decoder, every certificate field, PKCS#7/12, MIME extraction, and the tool's limits. Source: https://www.jpkc.com/db/en/tools/pki/manual/ Back to overview: [PKI Viewer](https://www.jpkc.com/db/en/tools/pki/) · Open the live tool: [www.jpkc.com/tools/pki/](https://www.jpkc.com/tools/pki/) This manual describes the **PKI Viewer** in full: the four tabs, every recognised file format, which fields a certificate reveals and how to read them, and the tool's deliberate limits. The interface is in English, so the labels appear here in their original spelling. ## Interface layout The PKI Viewer is organised into four tabs: - **File Analyzer** — analyse files via drag-and-drop or a file picker (binary or PEM). - **PEM Decoder** — paste PEM-encoded text and decode it. - **Help** — supported formats, capabilities and limits, a few tips. - **Reference** — a lookup: file extensions, certificate fields, OpenSSL commands, trust model. The first two tabs are the working areas, the last two pure documentation. A notice banner at the bottom of the page reiterates that everything stays in the browser. ## The "File Analyzer" tab This is where you analyse files. There is a large **drop zone** reading "Drag & drop a file here", and below it a **Browse Files** button for the classic file dialog. The accepted extensions are `.pem`, `.crt`, `.cer`, `.der`, `.p7m`, `.p7s`, `.p7c`, `.p12`, `.pfx`, `.csr`, `.req` and `.key`. The file is read as binary and detected automatically. The detection order: 1. If the content contains `-----BEGIN …`, it is processed as **PEM** (as in the PEM Decoder). 2. If the filename ends in `.p12`/`.pfx`, the password row appears (see below). 3. Otherwise the file is interpreted as **DER** (binary) and tried in turn as an X.509 certificate, then PKCS#7/CMS, then a CSR. 4. If it's valid ASN.1 but none of those, the tool says so honestly. ### Example and Clear Above the results area there are two controls: - The **Example** dropdown loads two bundled samples: **Certificate Chain (2 certs)** — a chain of an end-entity certificate (`www.example.com`) plus a root CA — and **Signed P7M (with content)** — a signed `.p7m` file with extractable text content. - **Clear** empties the results area, the password field, and the file selection. ### PKCS#12 password When the File Analyzer detects a `.p12` or `.pfx` file, it reveals a **PKCS#12 Password** row with a password field and an **Open** button. You enter the container password and click **Open** (or press Enter). If it's correct, the contained certificates and private keys are shown; if not, "Wrong password. Please try again." appears. ## The "PEM Decoder" tab This tab takes **PEM-encoded text** in a large input area. You paste the text and click **Decode**. An **Example** button loads a self-signed sample certificate, **Clear** empties input and output. The decoder recognises what it's dealing with from the markers: - `-----BEGIN CERTIFICATE-----` → one or **several** certificates (every block is rendered individually). - `-----BEGIN PKCS7-----` / `-----BEGIN CMS-----` → PKCS#7/CMS container. - `-----BEGIN CERTIFICATE REQUEST-----` (or `NEW CERTIFICATE REQUEST`) → CSR. - `-----BEGIN RSA PRIVATE KEY-----` / `-----BEGIN PRIVATE KEY-----` → private key. - `-----BEGIN RSA PUBLIC KEY-----` / `-----BEGIN PUBLIC KEY-----` → public key. If the tool finds no known marker, it reports "No recognized PEM markers found.". Multiple certificate blocks in one input (typical for a chain or a `.ca-bundle`) are split and counted automatically. ## What a certificate card shows For every detected certificate the tool renders a card. The header shows the **Common Name** of the subject and — depending on the case — the badges **Self-signed** (subject equals issuer), **CA** (per Basic Constraints), and the validity status. In the table below: ### Subject and Issuer The distinguished names of the holder (**Subject**) and the issuer (**Issuer**), assembled from components such as `CN`, `O`, `OU`, `C`, `ST`, `L`, and `E`. If subject and issuer are identical, the certificate is self-signed. ### Serial Number The **serial number** as an uppercase hex string with colons as separators (e.g. `30:41:91:13:75:…`). ### Not Before / Not After The validity period as an ISO 8601 timestamp in UTC. **Not After** is additionally highlighted in colour to match the status: - **Valid** (green) — valid and more than 30 days from expiry. - **Expires in N days** (yellow) — expires within the next 30 days. - **Expired** (red) — expiry date already passed. - **Not Yet Valid** (grey) — the start of validity is still in the future. ### Signature Algorithm The signature algorithm, translated from its OID. Recognised values include `SHA-1/224/256/384/512 with RSA`, `RSA-PSS`, and `ECDSA with SHA-1/256/384/512`. If the OID is unknown, the tool shows it as the raw digit sequence. ### Public Key For RSA keys, **type and bit length** (e.g. `RSA 2048 bit`). For other key types — such as EC — the tool limits itself to basic detection and may show `Unknown type`; full breakdown exists only for RSA. ### SHA-1 and SHA-256 Fingerprint Two **fingerprints** over the certificate's DER encoding, as uppercase hex strings with colons. Each has a copy button next to it. The fingerprint is the most practical value for confirming beyond doubt that two certificates are identical. ### Subject Alt Names If present, the **Subject Alternative Names** as badges, prefixed by type with `DNS:`, `URI:`, `IP:`, or `Email:`. For TLS server certificates this is where the covered hostnames appear. ### Key Usage and Extended Key Usage The bits set in the **Key Usage** extension (e.g. `digitalSignature`, `keyEncipherment`, `keyCertSign`, `cRLSign`) and the **Extended Key Usage** (e.g. `serverAuth`, `clientAuth`, `codeSigning`, `emailProtection`, `timeStamping`, `OCSPSigning`), each as badges. ### Basic Constraints Whether the certificate is a CA certificate (`CA: Yes`/`No`) and, if set, the path length constraint (`Path Length`). ### PEM export The footer of each card offers **Show PEM** (expands the PEM block) and **Copy PEM** (copies the individual certificate as PEM). This lets you pull a single certificate out of a chain, for instance. ## PKCS#7 / CMS and P7M content For a PKCS#7 or CMS container, the tool first lists the **contained certificates** (with a count) and renders them as cards. Additionally, it tries to extract the **encapsulated content** (eContent) directly from the ASN.1 structure — typical for signed `.p7m` files. The tool recognises the extracted content via **magic bytes**: PDF, XML, HTML, ZIP (including Office/OOXML), legacy MS Office files, PNG, JPEG, and GIF; everything else is classified as text or binary data. It shows the type, size, and a suggested download name, plus a preview for text. A **Download** button saves the content. ### Embedded MIME email If the extracted content looks like a **MIME email** (headers such as `From:`/`To:`/`Subject:`, a `multipart/` content type with a boundary, etc.), the tool breaks it out: - **Headers** — From, To, Cc, Bcc, Subject, Date, MIME-Version, Message-ID (RFC 2047-encoded values are decoded). - **Text Body** and **HTML Body** — the HTML part can be toggled between source and a **Preview** in a sandboxed `sandbox` iframe, and copied. - **Attachments** — each attachment individually with name, type, and size, plus a **Download** button; quoted-printable and Base64 are decoded along the way. - **Original (.eml)** — the raw MIME source can be downloaded as an `.eml` file. ## PKCS#12 / PFX, CSR, and keys - **PKCS#12 / PFX:** after entering the password, the contained **certificates** and **private keys** are shown. A key card states the type and bit length for RSA and offers PEM export. - **CSR (PKCS#10):** subject, public key (RSA bit length), signature algorithm, and — if present in the CSR — the Subject Alternative Names. - **Private key:** type (RSA) and bit length, with PEM export. - **Public key:** type (RSA) and bit length. ## The "Help" tab Pure in-tool documentation: a table of **supported formats**, a list each of **What This Tool Can Do** and **What This Tool Cannot Do**, plus tips — such as how to export a certificate from your browser (padlock icon in the address bar → certificate details → export as `.pem`/`.crt`) and useful OpenSSL commands. ## The "Reference" tab A compact lookup: a table of common **PKI file extensions** with standard, encoding, and typical content; a **certificate field reference** (DN components with OIDs, and the most important X.509v3 extensions such as SAN, Key Usage, Basic Constraints, Authority/Subject Key Identifier, CRL Distribution Points, Authority Information Access, Certificate Policies); a collection of **OpenSSL commands** for viewing, converting, verifying, and fingerprinting; and a short explanation of the **PKI trust model** (root CA → intermediate CA → end-entity). ## Limits and privacy - **Fully client-side:** everything runs via [node-forge](https://github.com/digitalbazaar/forge) in the browser. There is no server that receives files and no API. Certificates, private keys, and PKCS#12 passwords never leave your device — verifiable in the Network tab. - **Inspection only, no generation:** the tool signs and generates nothing — no certificates, no keys, no CSRs. - **No trust validation:** it does **not** validate chains against a CA trust store and performs **no** OCSP/CRL revocation checks. - **No network access to servers:** it opens no TLS connection and cannot fetch server certificates remotely. - **Password-protected private keys** cannot be decrypted; only PKCS#12 passwords are supported. - **EC keys:** basic detection only — detailed fields currently exist for RSA. For the introduction and target audiences see the [overview page](https://www.jpkc.com/db/en/tools/pki/). Concrete walkthroughs are in the [examples](https://www.jpkc.com/db/en/tools/pki/examples/), strategy and pitfalls in the [tips & tricks](https://www.jpkc.com/db/en/tools/pki/tips/). You can try everything directly in the [tool](https://www.jpkc.com/tools/pki/).