Meerkat TLS Test Certificate Factory

Issue a BR-compliant DV TLS certificate from the Meerkat Test CA. Only DNS SANs are accepted — IPs, email addresses, and other SAN types are rejected. CN is always derived from the first DNS SAN; all other CSR fields are stripped. Accepted keys: RSA ≥ 2048 or ECDSA P-256/P-384/P-521.

Test use only. Certificates from this CA are not trusted by any browser or OS and must never be used to secure real services.
Certificate repository Browse TLS CA material and issued certificates at /htmldir/tls →
📄

Drop a .pem or .csr file here, or click to browse

When checked the subject will be an empty sequence and the SAN extension is the sole source of domain names, as recommended by the Baseline Requirements.

Adds subjectKeyIdentifier = hash to the issued certificate. Use this to produce reproducer certificates for linter bug reports. Leave unchecked for normal issuance.

We use only essential cookies and local browser storage for preferences and security. See our Privacy Policy for details.

Confirm action