TLS cert chain validator

Per RFC 5280 + RFC 6962

PEM paste (fully local) OR STARTTLS probe against port 25/465/587/143/993/443. Shows SAN/validity/key strength/SCTs and detects chain-order mistakes.

What is this, and when do I need it?

What is this?

Parse and validate an X.509 certificate chain. Two modes: Probe opens a real TCP connection to a host:port and captures the chain via STARTTLS (SMTP/IMAP) or direct TLS (HTTPS/SMTPS/IMAPS/DoT); PEM paste runs entirely in your browser. The tool shows per-cert subject/issuer/validity/SAN/key/sig-algo/SCTs and flags chain-order mistakes (nginx misconfig where the intermediate is sent in wrong order), expired intermediates, weak keys (RSA < 2048, SHA-1), zero/single SCT (Chrome rejects), and EE-as-CA misconfiguration.

When do I need it?

Before a cert rotation, when diagnosing "Java client rejects but browser accepts" issues, when investigating Chrome's "NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED", or as a quick SOC forensic check on a cert someone just emailed you.

Server path: in probe mode this tool does NOT run browser-local. We open a real TCP connection to the target host:port and negotiate TLS or STARTTLS to capture the cert chain. We do not log the host or the result. 12 requests per minute per IP.

25 / 587 = SMTP STARTTLS, 465 = SMTPS direct, 143 = IMAP STARTTLS, 993 = IMAPS direct, 443 = HTTPS direct, 853 = DoT direct. The protocol is derived from the port; you can override below.

Try: · · ·