JPKCom DB

PKI Viewer — Manual

Full reference for the PKI Viewer: File Analyzer, PEM Decoder, every certificate field, PKCS#7/12, MIME extraction, and the tool's limits.

Back to overview: PKI Viewer · Open the live tool: www.jpkc.com/tools/pki/

This manual describes the PKI Viewer in full: the four tabs, every recognised file format, which fields a certificate reveals and how to read them, and the tool's deliberate limits. The interface is in English, so the labels appear here in their original spelling.

Interface layout

The PKI Viewer is organised into four tabs:

  • File Analyzer — analyse files via drag-and-drop or a file picker (binary or PEM).
  • PEM Decoder — paste PEM-encoded text and decode it.
  • Help — supported formats, capabilities and limits, a few tips.
  • Reference — a lookup: file extensions, certificate fields, OpenSSL commands, trust model.

The first two tabs are the working areas, the last two pure documentation. A notice banner at the bottom of the page reiterates that everything stays in the browser.

The "File Analyzer" tab

This is where you analyse files. There is a large drop zone reading "Drag & drop a file here", and below it a Browse Files button for the classic file dialog. The accepted extensions are .pem, .crt, .cer, .der, .p7m, .p7s, .p7c, .p12, .pfx, .csr, .req and .key.

The file is read as binary and detected automatically. The detection order:

  1. If the content contains -----BEGIN …, it is processed as PEM (as in the PEM Decoder).
  2. If the filename ends in .p12/.pfx, the password row appears (see below).
  3. Otherwise the file is interpreted as DER (binary) and tried in turn as an X.509 certificate, then PKCS#7/CMS, then a CSR.
  4. If it's valid ASN.1 but none of those, the tool says so honestly.

Example and Clear

Above the results area there are two controls:

  • The Example dropdown loads two bundled samples: Certificate Chain (2 certs) — a chain of an end-entity certificate (www.example.com) plus a root CA — and Signed P7M (with content) — a signed .p7m file with extractable text content.
  • Clear empties the results area, the password field, and the file selection.

PKCS#12 password

When the File Analyzer detects a .p12 or .pfx file, it reveals a PKCS#12 Password row with a password field and an Open button. You enter the container password and click Open (or press Enter). If it's correct, the contained certificates and private keys are shown; if not, "Wrong password. Please try again." appears.

The "PEM Decoder" tab

This tab takes PEM-encoded text in a large input area. You paste the text and click Decode. An Example button loads a self-signed sample certificate, Clear empties input and output.

The decoder recognises what it's dealing with from the markers:

  • -----BEGIN CERTIFICATE----- → one or several certificates (every block is rendered individually).
  • -----BEGIN PKCS7----- / -----BEGIN CMS----- → PKCS#7/CMS container.
  • -----BEGIN CERTIFICATE REQUEST----- (or NEW CERTIFICATE REQUEST) → CSR.
  • -----BEGIN RSA PRIVATE KEY----- / -----BEGIN PRIVATE KEY----- → private key.
  • -----BEGIN RSA PUBLIC KEY----- / -----BEGIN PUBLIC KEY----- → public key.

If the tool finds no known marker, it reports "No recognized PEM markers found.". Multiple certificate blocks in one input (typical for a chain or a .ca-bundle) are split and counted automatically.

What a certificate card shows

For every detected certificate the tool renders a card. The header shows the Common Name of the subject and — depending on the case — the badges Self-signed (subject equals issuer), CA (per Basic Constraints), and the validity status. In the table below:

Subject and Issuer

The distinguished names of the holder (Subject) and the issuer (Issuer), assembled from components such as CN, O, OU, C, ST, L, and E. If subject and issuer are identical, the certificate is self-signed.

Serial Number

The serial number as an uppercase hex string with colons as separators (e.g. 30:41:91:13:75:…).

Not Before / Not After

The validity period as an ISO 8601 timestamp in UTC. Not After is additionally highlighted in colour to match the status:

  • Valid (green) — valid and more than 30 days from expiry.
  • Expires in N days (yellow) — expires within the next 30 days.
  • Expired (red) — expiry date already passed.
  • Not Yet Valid (grey) — the start of validity is still in the future.

Signature Algorithm

The signature algorithm, translated from its OID. Recognised values include SHA-1/224/256/384/512 with RSA, RSA-PSS, and ECDSA with SHA-1/256/384/512. If the OID is unknown, the tool shows it as the raw digit sequence.

Public Key

For RSA keys, type and bit length (e.g. RSA 2048 bit). For other key types — such as EC — the tool limits itself to basic detection and may show Unknown type; full breakdown exists only for RSA.

SHA-1 and SHA-256 Fingerprint

Two fingerprints over the certificate's DER encoding, as uppercase hex strings with colons. Each has a copy button next to it. The fingerprint is the most practical value for confirming beyond doubt that two certificates are identical.

Subject Alt Names

If present, the Subject Alternative Names as badges, prefixed by type with DNS:, URI:, IP:, or Email:. For TLS server certificates this is where the covered hostnames appear.

Key Usage and Extended Key Usage

The bits set in the Key Usage extension (e.g. digitalSignature, keyEncipherment, keyCertSign, cRLSign) and the Extended Key Usage (e.g. serverAuth, clientAuth, codeSigning, emailProtection, timeStamping, OCSPSigning), each as badges.

Basic Constraints

Whether the certificate is a CA certificate (CA: Yes/No) and, if set, the path length constraint (Path Length).

PEM export

The footer of each card offers Show PEM (expands the PEM block) and Copy PEM (copies the individual certificate as PEM). This lets you pull a single certificate out of a chain, for instance.

PKCS#7 / CMS and P7M content

For a PKCS#7 or CMS container, the tool first lists the contained certificates (with a count) and renders them as cards. Additionally, it tries to extract the encapsulated content (eContent) directly from the ASN.1 structure — typical for signed .p7m files.

The tool recognises the extracted content via magic bytes: PDF, XML, HTML, ZIP (including Office/OOXML), legacy MS Office files, PNG, JPEG, and GIF; everything else is classified as text or binary data. It shows the type, size, and a suggested download name, plus a preview for text. A Download button saves the content.

Embedded MIME email

If the extracted content looks like a MIME email (headers such as From:/To:/Subject:, a multipart/ content type with a boundary, etc.), the tool breaks it out:

  • Headers — From, To, Cc, Bcc, Subject, Date, MIME-Version, Message-ID (RFC 2047-encoded values are decoded).
  • Text Body and HTML Body — the HTML part can be toggled between source and a Preview in a sandboxed sandbox iframe, and copied.
  • Attachments — each attachment individually with name, type, and size, plus a Download button; quoted-printable and Base64 are decoded along the way.
  • Original (.eml) — the raw MIME source can be downloaded as an .eml file.

PKCS#12 / PFX, CSR, and keys

  • PKCS#12 / PFX: after entering the password, the contained certificates and private keys are shown. A key card states the type and bit length for RSA and offers PEM export.
  • CSR (PKCS#10): subject, public key (RSA bit length), signature algorithm, and — if present in the CSR — the Subject Alternative Names.
  • Private key: type (RSA) and bit length, with PEM export.
  • Public key: type (RSA) and bit length.

The "Help" tab

Pure in-tool documentation: a table of supported formats, a list each of What This Tool Can Do and What This Tool Cannot Do, plus tips — such as how to export a certificate from your browser (padlock icon in the address bar → certificate details → export as .pem/.crt) and useful OpenSSL commands.

The "Reference" tab

A compact lookup: a table of common PKI file extensions with standard, encoding, and typical content; a certificate field reference (DN components with OIDs, and the most important X.509v3 extensions such as SAN, Key Usage, Basic Constraints, Authority/Subject Key Identifier, CRL Distribution Points, Authority Information Access, Certificate Policies); a collection of OpenSSL commands for viewing, converting, verifying, and fingerprinting; and a short explanation of the PKI trust model (root CA → intermediate CA → end-entity).

Limits and privacy

  • Fully client-side: everything runs via node-forge in the browser. There is no server that receives files and no API. Certificates, private keys, and PKCS#12 passwords never leave your device — verifiable in the Network tab.
  • Inspection only, no generation: the tool signs and generates nothing — no certificates, no keys, no CSRs.
  • No trust validation: it does not validate chains against a CA trust store and performs no OCSP/CRL revocation checks.
  • No network access to servers: it opens no TLS connection and cannot fetch server certificates remotely.
  • Password-protected private keys cannot be decrypted; only PKCS#12 passwords are supported.
  • EC keys: basic detection only — detailed fields currently exist for RSA.

For the introduction and target audiences see the overview page. Concrete walkthroughs are in the examples, strategy and pitfalls in the tips & tricks. You can try everything directly in the tool.