Community PKI Tools

Interactive ASN.1 tree viewer by Lapo Luchini. Paste a PEM or base64/hex DER blob and explore every field of the structure — offsets, lengths, and raw hex included.

Parses X.509 certificates into human-readable fields: subject, issuer, SANs, extensions, and validity. Useful as a quick sanity-check before deeper linting. No account required.

Web front-end for pkilint, the CA/Browser Forum–aligned certificate linter by Paul van Brouwershaven (DigiCert). Checks CABF TLS, S/MIME, and CS profiles. Returns structured findings with requirement references.

Run zlint, pkilint, and x509lint simultaneously on the same certificate, or pull a live cert from any domain. Flags CABF BR violations and RFC 5280 issues with direct requirement references. Includes OCSP and CRL revocation checks.

Analyses HTTP security headers, CSP, HSTS, subresource integrity, cookies, and X-Frame-Options. Gives a grade and actionable recommendations. Operated by Mozilla Foundation.

Reference site from the Google Chrome team. Each subdomain deliberately misconfigures TLS in a specific way — expired cert, self-signed, wrong host, RC4, SHA-1, etc. — letting you test how your browser or HTTP client handles each case.

The most comprehensive open-source TLS analysis tool, written in bash. Tests protocol support, cipher suites, key exchange, certificate chain, OCSP stapling, HSTS, vulnerabilities (POODLE, BEAST, ROBOT…), and more.

Reference implementation of the EU's DSS (Digital Signature Service) library (LGPL). Validates and creates AdES-compliant signatures: CAdES, XAdES, PAdES (PDF), and JAdES. Source on GitHub (esig/dss).

ETSI's own conformance checking service for AdES digital signatures (CAdES, XAdES, PAdES). Tests compliance against ETSI EN 319 100-series standards. Particularly useful for eIDAS qualified signature validation.

Sectigo's CT log search engine — the most widely used public interface to the Certificate Transparency ecosystem. Search by domain, organisation, certificate fingerprint, or serial.

Google's Certificate Transparency monitoring and reporting tool. Check whether a certificate has been logged, view recent CT log additions, and access the authoritative Chrome CT log list.

Diagnoses why Let's Encrypt or any ACME CA might fail to validate a domain. Simulates HTTP-01 and DNS-01 challenges, checks CAA records, firewall behaviour, and multi-perspective reachability. By Andrew Ayer (SSLMate).

Visual analysis and debugging of the DNSSEC chain of trust for any domain. Renders the entire delegation path from root → TLD → zone with coloured status indicators for each signature, key, and DS record.

Chrome/Firefox HSTS preload list submission and eligibility checker. Verifies that your domain meets the strict requirements (valid HTTPS, max-age ≥ 1 year, includeSubDomains, preload directive) before applying for preloading.

Checks CAA (Certification Authority Authorization) DNS records for any domain. Shows which CAs are authorised to issue, which issuewild / iodef properties are set, and whether the record is valid. By Rob Stradling (Sectigo researcher).

Community-maintained OID registry. Paste any OID in dotted notation and get its name, description, owning organisation, and the standards that define it. Covers the full arc tree including PKIX, PKCS, ETSI, CAB Forum, and vendor arcs.

The authoritative source for all IETF RFCs. Full-text search, cross-references between documents, errata tracking, and machine-readable formats. Operated by the IETF/IASA.