Community PKI Tools

Interactive ASN.1 tree viewer by Lapo Luchini. Paste a PEM or base64/hex DER blob and explore every field of the structure — offsets, lengths, and raw hex included. The gold standard for ad-hoc ASN.1 inspection.

Parses X.509 certificates into human-readable fields: subject, issuer, SANs, extensions, and validity. Useful as a quick sanity-check before deeper linting. No account required.

Web front-end for pkilint, the CA/Browser Forum–aligned certificate linter by Paul van Brouwershaven (DigiCert). Checks CABF TLS, S/MIME, and CS profiles. Returns structured findings with requirement references. Code on GitHub (digicert/pkilint).

Run zlint, pkilint, and x509lint simultaneously on the same certificate, or pull a live cert from any domain. Flags CABF BR violations and RFC 5280 issues with direct requirement references. Includes OCSP and CRL revocation checks.

Analyses HTTP security headers, CSP, HSTS, subresource integrity, cookies, and X-Frame-Options. Gives a grade and actionable recommendations. Operated by Mozilla Foundation; source on GitHub (mozilla/http-observatory).

Reference site from the Google Chrome team. Each subdomain deliberately misconfigures TLS in a specific way — expired cert, self-signed, wrong host, RC4, SHA-1, etc. — letting you test how your browser or HTTP client handles each case. Code on GitHub (chromium/badssl.com).

The most comprehensive open-source TLS analysis tool, written in bash. Tests protocol support, cipher suites, key exchange, certificate chain, OCSP stapling, HSTS, vulnerabilities (POODLE, BEAST, ROBOT …), and more. Primarily a CLI tool; community-hosted web front-ends exist.

Reference implementation of the EU's DSS (Digital Signature Service) library (LGPL). Validates and creates AdES-compliant signatures: CAdES, XAdES, PAdES (PDF), and JAdES. Accepts signed documents, returns a detailed conformance report. Source on GitHub (esig/dss).

ETSI's own conformance checking service for AdES digital signatures (CAdES, XAdES, PAdES). Tests compliance against ETSI EN 319 100-series standards. Particularly useful for eIDAS qualified signature validation.

Sectigo's CT log search engine — the most widely used public interface to the Certificate Transparency ecosystem. Search by domain, organisation, certificate fingerprint, or serial. Surfaces all logged certificates and precertificates, and renders full parsed certificate details.

Google's Certificate Transparency monitoring and reporting tool. Check whether a certificate has been logged, view recent CT log additions, and access the authoritative Chrome CT log list. Essential for verifying that your certificates are CT-compliant.

Diagnoses why Let's Encrypt or any ACME CA might fail to validate a domain. Simulates HTTP-01 and DNS-01 challenges, checks CAA records, firewall behaviour, and multi-perspective reachability. By Andrew Ayer (SSLMate). Source on GitHub (letsdebug/letsdebug).

Visual analysis and debugging of the DNSSEC chain of trust for any domain. Renders the entire delegation path from root → TLD → zone with coloured status indicators for each signature, key, and DS record. Source on GitHub (dnsviz/dnsviz).

Chrome/Firefox HSTS preload list submission and eligibility checker. Verifies that your domain meets the strict requirements (valid HTTPS, max-age ≥ 1 year, includeSubDomains, preload directive) before applying for preloading. Source on GitHub (chromium/hstspreload).

Checks CAA (Certification Authority Authorization) DNS records for any domain. Shows which CAs are authorised to issue, which issuewild / iodef properties are set, and whether the record is valid. By Rob Stradling (Sectigo researcher).

Community-maintained OID registry. Paste any OID in dotted notation and get its name, description, owning organisation, and the standards that define it. Covers the full arc tree including PKIX, PKCS, ETSI, CAB Forum, and vendor arcs.

The authoritative source for all IETF RFCs. Full-text search, cross-references between documents, errata tracking, and machine-readable formats. Operated by the IETF/IASA. Indispensable for reading the specifications behind every PKI standard.