by Thameur Belghith — PKI & Trust Services Engineer

WebPKI Tools, Compliance & Certificate Engineering

Tools for people who would rather catch problems before Chrome does.

Built with enough vigilance to survive Bugzilla.

zlint pkilint x509lint CCADB ACME CT Logs RFC 3161 TSA eIDAS / AdES CABF BRs Root Programs

Explore Tools About

About

What this site is

A free, no-account toolbox for PKI practitioners and CA auditors. It covers certificate linting (pkilint, zlint, x509lint in one shot), CP/CPS-to-BR audit mapping, a universal artifact parser for certificates, CRLs, OCSP, timestamp tokens, and more. It also provides a live ACME endpoint for testing, a CCADB browser with browser trust status and inline chain linting, an e-seal signer, and a curated directory of the best community tools. Built to close the gap between what the BRs require and what most teams have to check against it.

Who built it

I work in PKI and Trust Services. Day-to-day: certificate profile engineering, CA system design, CPS/CP authoring, compliance against the CA/Browser Forum Baseline Requirements, audit support. These tools started as internal utilities for problems I kept running into. I open-sourced them because the gap between what the BRs require and what most teams have available to check against it is real — and not worth solving from scratch every time.

LinkedIn Contact

Areas of Focus

WebPKI & CA/Browser Forum Compliance
X.509 Certificate Profile Engineering
CPS / CP Authoring & Audit Support
CCADB & Root Program Management
Certificate Transparency (CT Logs)
ACME & Automated Certificate Management
Revocation Infrastructure (OCSP / CRL)
eIDAS / EU Trust Services (eSeals, TSA)

Certificate Repository

Public CA material, CRLs, and issued test certificates for the Meerkat TLS and MPCA hierarchies.

TLS Certificate Repository Browse the TLS test CA hierarchy, issuing CA certificates, CRLs, OCSP references, and certificates issued by the TLS Factory and ACME service. Open /htmldir/tls → MPCA Certificate Repository Inspect the multi-purpose CA hierarchy for S/MIME, client authentication, code signing, TSA, e-Seal, OCSP responder, and related test profiles. Open /htmldir/mpca →

PKI Tools

Free, browser-based tools for PKI practitioners, CA auditors, and security engineers.

Certificate Issuance & Test CAs

🔑

CSR Generator

Build a Certificate Signing Request with full control over the key algorithm (RSA, ECDSA, Ed25519), curve or key size, and signature hash. Compose the Subject DN field-by-field from a complete OID-annotated list — deprecated attributes flagged — with SAN support for DNS, IP, email, and URI.

CSR RSA ECDSA Ed25519 SAN

Open Tool →

🏭

Meerkat TLS Certificate Factory

Issue BR-compliant DV TLS certificates from the Meerkat Test CA. Accepts a CSR or generates one on-the-fly from a list of domains. Only DNS SANs accepted — no IPs, no email. Subject CN is derived from the first SAN; all other CSR fields are stripped.

Test CA BR Compliance DV TLS RSA

Open Tool →

🏛️

Meerkat MPCA Factory

Issue multi-purpose test certificates from the Meerkat private CA hierarchy. Supports S/MIME (MV Multipurpose & Signing), Client Authentication, Document Signing (AdES/RFC 9336), and Code Signing OV. Profile-driven — extensions, policies, and validity are enforced per CA/B Forum requirements.

S/MIME Code Signing Client Auth AdES

Open Tool →

⚙️

Meerkat ACME Web Service

Issue 90-day DV TLS test certificates with standard RFC 8555 clients. Supports account creation, terms acceptance, http-01 and dns-01 validation, RSA and ECC certificate trees, embedded CT SCTs, renewal as fresh issuance, and revocation.

ACME RFC 8555 DV TLS CT

View Endpoint →

Trust Service Endpoints

⚡

ACME Test Endpoint Demo

A live reference implementation of an automated certificate renewal endpoint as required by the Chrome Root Program and validated by Mozilla. Demonstrates RFC 8555 renewal verification in a production environment.

ACME RFC 8555 Chrome Root

View Endpoint →

🌳

Meerkat CT Log

An RFC 6962-compliant Certificate Transparency log for testing. Accepts precertificate chains and returns cryptographically valid SCTs signed by one of 8 randomised fake log identities. Includes full API reference and integration guide.

RFC 6962 CT Log SCT Precertificate

View Endpoint →

⏱

Meerkat TSA

A fully RFC 3161-compliant Time Stamping Authority for testing. Submit a DER-encoded timestamp request and receive a cryptographically valid TimeStampResp signed by the Meerkat TSA. Supports SHA-256, SHA-384, and SHA-512. Includes integration guide and verification instructions.

RFC 3161 TSA SHA-256 SHA-512

View Endpoint →

🖊️

Meerkat e-Seal API

REST signing endpoint issuing CAdES (CMS) or XAdES (XML) signatures from the Meerkat e-Seal authority (eIDAS / ETSI EN 319 412-3). Optional RFC 3161 timestamp for T-level. Includes curl, Python, and JavaScript integration examples.

eIDAS CAdES XAdES ETSI

View Endpoint →

Service Clients & Signers

🕰️

Meerkat TimeStampIt

Paste a SHA-256, SHA-384, or SHA-512 hash digest to receive a cryptographically signed RFC 3161 timestamp token from the Meerkat TSA. Download the signed .tsr and inspect the full timestamp response inline — no CLI required.

RFC 3161 TSA Timestamp IETF

Open Tool →

🔏

Meerkat e-Seal Signer

Paste a hash digest to receive a CAdES (CMS) or XAdES (XML) e-Seal signature, with or without an RFC 3161 timestamp (T level). Download the token and inspect it inline or send it to the Artifact Parser.

eIDAS CAdES XAdES ETSI

Open Tool →

🌳

CT Log Auditor

Paste, upload, or fetch a TLS certificate and audit every embedded Signed Certificate Timestamp: verify ECDSA signatures, confirm Merkle tree inclusion with an audit proof, and inspect log identity against the Meerkat CT log pool.

CT RFC 6962 Merkle SCT

Open Tool →

Inspection & Compliance

🔬

ACME Endpoint Tester

Validate any RFC 8555 ACME endpoint end-to-end: directory field checks, account creation (with optional EAB), order placement, http-01 and dns-01 challenges, certificate issuance, revocation, and ARI. Captures all raw protocol exchanges for a downloadable evidence report.

ACME RFC 8555 http-01 dns-01 ARI

Open Tool →

🧾

Meerkat Multi-Linter

Run a certificate through zlint, pkilint, and x509lint simultaneously. Flags policy violations and RFC 5280 issues with direct references to the failing requirements.

zlint pkilint x509lint

Open Tool →

🐾

MeerLint — Bulk Linter

Drop in a PEM bundle of up to 1 000 certificates — chains, mixed files, CSV exports. MeerLint runs every block through zlint and surfaces errors and warnings with a live progress counter. Pure static analysis — no external calls, no timeouts.

Bulk zlint RFC 5280 Batch

Open Tool →

🔍

Meerkat Artifact Parser

Paste or upload any PKI artifact — certificate, CSR, CRL, OCSP response, public key, PKCS#7, or timestamp token — and get an instant structured breakdown. Supports PEM and DER. Private key material is detected and rejected server-side.

X.509 CSR CRL PKCS#7 RFC 3161

Open Tool →

📋

CP/CPS BR Audit Mapper

Upload or link to a CP/CPS document and get a checklist-backed audit triage map: RFC 3647 structure, likely CAB Forum BR coverage, matched evidence, and review gaps.

Experimental CPS BR CABF

Open Tool →

🗄️

CCADB Browser

Browse all CCADB root and intermediate CA certificates grouped by CA owner. Shows browser trust status (Chrome, Mozilla, Apple, Microsoft), audit info, EKU capabilities, and policy OIDs. Includes inline chain linting. Updated weekly.

CCADB Root Programs Browser Trust Chain Lint

Open Tool →

🧭

OID Explorer

Search registered PKI OIDs and CCADB certificate policy OIDs by dot string, policy name, CA owner, certificate name, or keyword. Shows registry metadata, CCADB usage counts, and example CA certificates.

OID CCADB Policies X.509

Open Tool →

🔎

DNS CAA & DCV Checker

Check DNS CAA records, DNSSEC status, and DCV challenge configuration for one or more domains across multiple public resolvers and the domain's own authoritative DNS. Interprets CAA policies in plain language.

CAA DNSSEC DCV DNS-01

Open Tool →

🔐

mTLS Inspector

Inspect the client certificate your browser presents during mutual TLS authentication. Validates EKU, Key Usage, and the mTLS client auth profile. Displays all certificate fields and extensions with pkimetal RFC 5280 compliance findings.

mTLS Client Auth X.509 EKU

Open Tool →

📦

Certificate Container Converter

Convert PKI containers between P12/PFX, Apple legacy P12, Java keystores, PEM bundles, DER, P7B, and Kubernetes TLS secrets. Detects format automatically, validates contents, handles password-protected inputs, and offers only valid conversion targets.

PKCS#12 JKS PEM DER Kubernetes

Open Tool →

Certificate Repository

🌐

Meerkat TLS Certificate Repository

Browse the Meerkat Test CA hierarchy for TLS certificates. Lists root and issuing CAs with downloadable CRT, DER, and PEM artifacts alongside issued certificate records — validity status, revocation state, serial, and fingerprint.

TLS Test CA CRL Repository

Browse →

🏛️

Meerkat MPCA Certificate Repository

Browse the Meerkat Multi-Purpose CA hierarchy. Lists root and issuing CAs covering S/MIME, Code Signing, Client Authentication, and Document Signing profiles with downloadable CA artifacts and issued certificate records.

S/MIME Code Signing Client Auth Repository

Browse →

Articles

In-depth guides on PKI tools, CA audit workflows, and WebPKI compliance.

Tool Guide 05 Jun 2026

CCADB Browser: Navigate CA Certificate Records Without the Pain

CCADB.org is the authoritative source for public CA data — but its raw interface was not built for quick lookups. This guide covers every fe...

CCADB WebPKI CA Audit Certificate Linting

Read article →

View all articles →

Get in Touch

Questions about the tools, a result that looks wrong, PKI consulting, or just want to connect.

Your name *

Your email *

Topic *

Message *