What is this?
Parse and validate an X.509 certificate chain. Two modes: Probe opens a real TCP connection to a host:port and captures the chain via STARTTLS (SMTP/IMAP) or direct TLS (HTTPS/SMTPS/IMAPS/DoT); PEM paste runs entirely in your browser. The tool shows per-cert subject/issuer/validity/SAN/key/sig-algo/SCTs and flags chain-order mistakes (nginx misconfig where the intermediate is sent in wrong order), expired intermediates, weak keys (RSA < 2048, SHA-1), zero/single SCT (Chrome rejects), and EE-as-CA misconfiguration.
When do I need it?
Before a cert rotation, when diagnosing "Java client rejects but browser accepts" issues, when investigating Chrome's "NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED", or as a quick SOC forensic check on a cert someone just emailed you.