X.509 Certificate Parser
指导
X.509 Certificate Parser
Parse and inspect X.509 certificates and CSRs from PEM format. Instantly see the subject, issuer, validity dates, serial number, public key details, signature algorithm, SAN (Subject Alternative Names), key usage extensions, and full field breakdown — without uploading the certificate to any server.
如何使用
Paste your PEM-encoded certificate (beginning with -----BEGIN CERTIFICATE-----) or CSR into the input field, or use the built-in example. Click Parse to see all certificate fields displayed in a structured table.
特征
- PEM certificate parsing – X.509 v1/v2/v3 and CSR support
- Full field display – subject, issuer, validity, serial, public key, SAN, extensions
- Key usage detection – identifies Digital Signature, Key Encipherment, CA flag, and more
- Signature algorithm – shows the signing algorithm (RSA-SHA256, ECDSA, etc.)
- Built-in example – real certificate for immediate testing
- 仅客户端 – certificates never leave your browser
常问问题
-
What is an X.509 certificate and what does it contain?
An X.509 certificate is a digitally signed document that binds a public key to an identity (domain, organisation, or person). It contains: version, serial number, signature algorithm, issuer DN, validity period (notBefore/notAfter), subject DN, public key info (algorithm + key), and extensions (SAN, key usage, basic constraints, CRL distribution points, OCSP URL). The CA signs the certificate’s TBSCertificate structure to produce the final certificate.
-
What is the difference between DV, OV, and EV certificates?
Domain Validation (DV) certificates verify only that the applicant controls the domain, via DNS or HTTP challenge. Organisation Validation (OV) certificates additionally verify the legal organisation identity through documentation. Extended Validation (EV) certificates require the most rigorous vetting including legal existence, physical address, and phone verification. DV is sufficient for encryption; OV/EV provide identity assurance for higher-trust scenarios.
-
What are Subject Alternative Names (SAN) and why are they important?
SAN (RFC 5280) is an X.509v3 extension that lists all domain names and IP addresses a certificate is valid for. Modern browsers (since 2017) only use SAN for hostname validation and ignore the Common Name (CN) field for this purpose. A certificate without SAN will be rejected even if the CN matches. Wildcard SANs (*.example.com) match one subdomain level only and do not cover the apex domain or deeper subdomains.
-
What does certificate chain validation involve?
Chain validation verifies that each certificate in the chain is signed by the next certificate up to a trusted root CA. The browser/OS maintains a trust store of pre-installed root CA certificates. Validation checks: signature validity at each level, validity period, key usage extensions, revocation status (CRL or OCSP), and that the issuing CA has the CA:TRUE basic constraint. A chain is valid only if all checks pass at every level.
