About This Tool

Inspect SSL/TLS certificates by fetching them from a URL or pasting PEM-encoded data. The tool decodes the ASN.1 DER structure entirely in your browser and provides a comprehensive analysis including a security assessment.

Information Displayed

Validity status — valid, expiring soon, or expired with days remaining
Subject & Issuer — distinguished names with CN, O, C breakdown
Subject Alternative Names — all DNS names, IPs, emails, URIs
Public key — algorithm (RSA/EC/Ed25519), key size, curve, signature algorithm
Key Usage & Extended Key Usage — digital signature, server/client auth
Authority Info Access — OCSP and CA Issuer URLs
Certificate Transparency — SCT presence check
SHA-256 fingerprint — computed in-browser via Web Crypto
Security assessment — key strength, signature algorithm, validity duration, CT compliance

How to Use

Enter a URL and click Fetch to download the certificate, or paste PEM data directly
Click Inspect Certificate to decode and analyze
Review all certificate details and security findings

Privacy

All certificate parsing and analysis happens entirely in your browser. When fetching by URL, public CT log APIs are used (certspotter, crt.sh) — no server-side proxy. For private/internal certificates, use the PEM paste option or the openssl commands below.

Linux Command Reference

You can inspect certificates from the terminal using openssl:

Download & Save Certificate

echo | openssl s_client -connect jmrp.io:443 -servername jmrp.io 2>/dev/null | openssl x509 > cert.pem

(certificate saved to cert.pem)

Quick Certificate Summary

echo | openssl s_client -connect jmrp.io:443 -servername jmrp.io 2>/dev/null | openssl x509 -noout -subject -issuer -dates -fingerprint -sha256

subject=CN=jmrp.ioissuer=C=US, O=Let's Encrypt, CN=E7notBefore=Jan 3 14:02:05 2026 GMTnotAfter=Apr 3 14:02:04 2026 GMTsha256 Fingerprint=31:B2:A8:53:45:F8:CE:34:AE:20:FE:83:31:07:9C:5D:66:56:DB:29:...

View Subject Alternative Names

echo | openssl s_client -connect jmrp.io:443 -servername jmrp.io 2>/dev/null | openssl x509 -noout -ext subjectAltName

X509v3 Subject Alternative Name: DNS:*.jmrp.io, DNS:jmrp.io

Full Certificate Details

echo | openssl s_client -connect jmrp.io:443 -servername jmrp.io 2>/dev/null | openssl x509 -noout -text | head -25

Certificate: Data: Version: 3 (0x2) Serial Number: 05:fc:45:dd:04:c9:dc:90:3a:35:bd:76:be:e2:1b:f7:e6:b6 Signature Algorithm: ecdsa-with-SHA384 Issuer: C=US, O=Let's Encrypt, CN=E7 Validity Not Before: Jan 3 14:02:05 2026 GMT Not After : Apr 3 14:02:04 2026 GMT Subject: CN=jmrp.io Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) ASN1 OID: prime256v1 NIST CURVE: P-256

Check Expiry (30 days)

# Check if certificate expires within 30 days (2592000 seconds) echo | openssl s_client -connect jmrp.io:443 -servername jmrp.io 2>/dev/null | openssl x509 -noout -checkend 2592000 # Exit code 0 = OK, 1 = expiring soon

Certificate will not expire

TLS Handshake & Chain

depth=2 C=US, O=Internet Security Research Group, CN=ISRG Root X1depth=1 C=US, O=Let's Encrypt, CN=E7depth=0 CN=jmrp.ioNew, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384Protocol: TLSv1.3Verify return code: 0 (ok)

Verify Certificate Chain

# Verify a certificate against the system CA bundle openssl verify cert.pem # Verify with explicit CA chain openssl verify -CAfile chain.pem cert.pem

cert.pem: OK

Monitor Expiry (cron script)

# Add to crontab: check daily, alert if expiring in 14 days for domain in jmrp.io example.com; do if ! echo | openssl s_client -connect "$domain:443" \ -servername "$domain" 2>/dev/null | \ openssl x509 -noout -checkend 1209600 2>/dev/null; then echo "WARNING: $domain cert expires within 14 days" fi done

(no output = all certificates OK)

See Secure Nginx with Client Certificates for a guide on mutual TLS authentication.

Certificate Inspector