PKI Viewer by

JPKCom Developer Tools
Code & Text Tools
Beautify Cheat Sheets Coder Compiler Convertor PRO CSV Editor JSON Editor Lorem Ipsum Markdown Editor Playground Regex Debugger Source Viewer WP Code Generator WYSIWYG Editor
Design & Graphics
Colors Fonts Geopattern Graphic Editor PDF Tools Periodensystem (PSE) Placeholder Service Trianglify UI
AI & SEO
llms.txt Generator Meta Tags Generator robots.txt & Sitemap SEO & GEO Analyzer
Security & Utilities
Cryptor (AES-256) DNS, SSL, Redirect & URL Cron Job Helper Docker/Podman Composer IP Tools Generator Hash Generator Mail Header Analyzer PKI Viewer Info Tools QR Code Time Converter UUID Generator
About
JPKCom Developer Tools

Free online tools for web developers and designers.

39 Tools available.

Drop or select a certificate, PKCS#7, PKCS#12, CSR or key file to inspect its contents. Everything runs in your browser.

Drag & drop a file here

.pem .crt .cer .der .p7m .p7s .p7c .p12 .pfx .csr .req .key

Paste PEM-encoded data below. Supports certificates, CSRs, keys and PKCS#7 bundles. Multiple PEM blocks are detected automatically.

PEM Input

Supported Formats

Extension Format Description
.pemPEMBase64-encoded with header/footer markers. Can contain certificates, keys, CSRs.
.crt / .cerPEM or DERX.509 certificate. Auto-detected encoding.
.derDER (binary)Binary-encoded X.509 certificate.
.p7m / .p7s / .p7cPKCS#7 / CMSSigned data (P7M/P7S) or certificate bundle (P7C). PEM or DER.
.p12 / .pfxPKCS#12Password-protected container with certificate + private key.
.csr / .reqPKCS#10Certificate Signing Request. PEM or DER.
.keyPEMRSA private or public key.

What This Tool Can Do

  • Display full certificate details (subject, issuer, validity, extensions)
  • Compute SHA-1 and SHA-256 fingerprints
  • Extract and download encapsulated content from P7M files
  • Detect MIME email messages inside P7M files — parse headers, text/HTML body and extract attachments
  • Open password-protected PKCS#12 containers
  • Inspect Certificate Signing Requests (CSR)
  • Detect and parse multiple PEM blocks in a single input
  • Show key type, size and public key details
  • Check validity period with color-coded status badges
  • Detect self-signed certificates
  • Export individual certificates as PEM

What This Tool Cannot Do

  • Validate certificate chains against a CA trust store
  • Perform OCSP or CRL revocation checks
  • Initiate TLS handshakes or test server certificates remotely
  • Decrypt password-protected private keys (only PKCS#12 passwords are supported)
  • Sign or generate certificates
  • Handle elliptic curve (EC) key details beyond basic detection

Tips

Export a certificate from your browser

  1. Click the padlock icon in the address bar
  2. View certificate details
  3. Export / download as .pem or .crt
  4. Drop the file here or paste the PEM text

Useful OpenSSL commands

# View a certificate
openssl x509 -in cert.pem -text -noout

# Convert DER to PEM
openssl x509 -inform der -in cert.der -out cert.pem

# Extract cert from P12
openssl pkcs12 -in file.p12 -clcerts -nokeys -out cert.pem

# View a CSR
openssl req -in request.csr -text -noout

# Extract certs from PKCS#7
openssl pkcs7 -in bundle.p7b -print_certs -out certs.pem

Common PKI File Extensions

ExtensionStandardEncodingTypical Content
.pemRFC 7468Base64 (ASCII)Certificates, keys, CSRs, CRLs
.der / .cerITU-T X.690BinarySingle certificate (DER-encoded)
.crtX.509PEM or DERCertificate (encoding varies by OS)
.keyPKCS#1 / PKCS#8PEMPrivate or public key
.csr / .reqPKCS#10PEM or DERCertificate Signing Request
.p7b / .p7cPKCS#7PEM or DERCertificate bundle (no private key)
.p7m / .p7sCMS / PKCS#7DER (usually)Signed/enveloped data
.p12 / .pfxPKCS#12BinaryCertificate + private key (password-protected)
.ca-bundlePEMConcatenated CA certificates
.jksJava KeyStoreBinaryJava-specific key/cert store (not supported)

Certificate Fields Reference

Distinguished Name (DN) Components

AbbrOIDField
CN2.5.4.3Common Name
O2.5.4.10Organization
OU2.5.4.11Organizational Unit
C2.5.4.6Country (2-letter ISO)
ST2.5.4.8State / Province
L2.5.4.7Locality (City)
E1.2.840.113549.1.9.1Email Address
serialNumber2.5.4.5Serial Number (DN attribute)

Common X.509v3 Extensions

ExtensionOIDDescription
Subject Alternative Name2.5.29.17Additional identities (DNS names, IPs, emails)
Key Usage2.5.29.15Permitted key operations (digitalSignature, keyEncipherment, ...)
Extended Key Usage2.5.29.37Purpose (serverAuth, clientAuth, codeSigning, ...)
Basic Constraints2.5.29.19CA flag and path length constraint
Authority Key Identifier2.5.29.35Identifies the issuer's public key
Subject Key Identifier2.5.29.14Hash of the subject's public key
CRL Distribution Points2.5.29.31URLs where CRLs can be retrieved
Authority Information Access1.3.6.1.5.5.7.1.1OCSP responder and CA issuer URLs
Certificate Policies2.5.29.32Policy OIDs and qualifiers

Common OpenSSL Commands

# --- View / Inspect ---
openssl x509 -in cert.pem -text -noout             # View certificate
openssl req -in request.csr -text -noout            # View CSR
openssl rsa -in key.pem -text -noout                # View RSA key
openssl pkcs7 -in bundle.p7b -print_certs           # List certs in PKCS#7
openssl pkcs12 -in file.p12 -info                   # Inspect PKCS#12

# --- Convert ---
openssl x509 -inform der -in cert.der -out cert.pem             # DER to PEM
openssl x509 -outform der -in cert.pem -out cert.der             # PEM to DER
openssl pkcs12 -in file.p12 -clcerts -nokeys -out cert.pem       # P12 to cert PEM
openssl pkcs12 -in file.p12 -nocerts -nodes -out key.pem         # P12 to key PEM
openssl pkcs12 -export -in cert.pem -inkey key.pem -out file.p12 # PEM to P12

# --- Verify ---
openssl verify -CAfile ca.pem cert.pem              # Verify against CA
openssl s_client -connect host:443 -showcerts       # Fetch server chain

# --- Fingerprints ---
openssl x509 -in cert.pem -fingerprint -sha256 -noout  # SHA-256 fingerprint
openssl x509 -in cert.pem -fingerprint -sha1 -noout    # SHA-1 fingerprint

PKI Trust Model

Public Key Infrastructure (PKI) relies on a hierarchical trust model:

  1. Root CA — Self-signed certificate trusted by operating systems and browsers. Stored in the local trust store.
  2. Intermediate CA — Signed by the Root CA. Issues end-entity certificates. Adds a layer of protection (root key stays offline).
  3. End-entity certificate — Identifies a server, person or device. Signed by an intermediate CA.

When a TLS client connects, the server presents its certificate along with intermediate CA certificates. The client walks the chain up to a trusted root to validate the connection.