thameur.org Test CA

About Tools News Community References Contact

Meerkat TLS Test Certificate Factory

Issue a BR-compliant DV TLS certificate from the Meerkat Test CA. Only DNS SANs are accepted — IPs, email addresses, and other SAN types are rejected. CN is always derived from the first DNS SAN; all other CSR fields are stripped. RSA ≥ 2048 only.

⚠ Test use only. Certificates from this CA are not trusted by any browser or OS and must never be used to secure real services.

📄

Drop a .pem or .csr file here, or click to browse

⚠ No private key will be delivered. A throw-away 2048-bit RSA key is generated server-side and discarded immediately after signing. Use this option only to test how a certificate looks — never to secure a real service.

Separate multiple domains with commas. No IPs, or internal names.

Enforce Domain Control Validation (DCV)

HTTP /.well-known/pki-validation/ DNS TXT _pki-validation DNS CNAME _pki-validation → TOKEN.dcv TLS-ALPN port 443, acme-tls/1

Place a file at each domain's /.well-known/pki-validation/TOKEN URL containing exactly the token value.

✕

DCV Challenge

HTTP

✕

✔ Certificate Issued

⚠ This is a precertificate (RFC 6962). It contains the CT poison extension (OID 1.3.6.1.4.1.11129.2.4.3, critical) and cannot be used for TLS. It is intended for submission to Certificate Transparency logs and linter testing only.

Chain: Meerkat Root CA → Meerkat Test Issuing CA 1 → this certificate
Install the Root CA to trust this cert locally for linter testing. PKI repository: pki.thameur.org

Revocation reason:

© 2026 Thameur Belghith

Home PKI References Privacy Policy me@thameur.org

We use cookies to serve ads (Google AdSense) and analyse traffic. See our Privacy Policy for details. You can opt out at any time via your browser settings or Google's Ad Settings.