Certificate Checker
Analyze X.509 certificates for compliance, security issues, and best practices.
Analyze Your X.509 Certificate
Upload your certificate file, paste the certificate content, or fetch directly from a URL to get an immediate security and compliance analysis.
Enter a URL to fetch the certificate from a server (e.g., https://example.com:443)
Supported input methods:
- URL: Fetch certificate directly from a server (HTTPS/TLS)
- File Upload: Upload certificate files (.crt, .cer, .pem, .der, .p7b, .p7c)
- Text Paste: Paste PEM format or base64 encoded certificate content
What we check with Zlint:
- Certificate validity and expiration
- Key strength and cryptographic algorithms
- Certificate Authority compliance (CA/Browser Forum)
- RFC 5280 X.509 standard compliance
- Subject Alternative Names (SAN) validation
- Certificate chain and trust path analysis
- Security best practices and vulnerabilities
Validation Checks & Standards
Our certificate analyzer uses the industry-standard certificate linting tool, to perform comprehensive validation against multiple standards and CA requirements.
CA/Browser Forum Baseline Requirements
Certificate Validity Period
Validates that certificates don't exceed the maximum 825-day validity period for public certificates. Best Practice: Use shorter validity periods for better security.
Domain Validation Requirements
Ensures proper domain validation including FQDN format, wildcard restrictions, and SAN requirements. Best Practice: Include all domain names in Subject Alternative Names.
Key Usage and Extended Key Usage
Validates proper key usage extensions and ensures they match the certificate's intended purpose. Best Practice: Use specific key usage values for certificate type.
RFC 5280 X.509 Standards
Certificate Structure Validation
Ensures proper ASN.1 encoding, field formats, and certificate structure compliance. Best Practice: Follow RFC 5280 specifications for maximum compatibility.
Extension Criticality
Validates proper use of critical and non-critical extensions according to RFC specifications. Best Practice: Mark extensions as critical only when required.
Name Constraints and Policies
Checks certificate policies, name constraints, and policy mapping extensions. Best Practice: Use appropriate certificate policies for intended use.
Cryptographic Security
Key Strength Validation
Ensures RSA keys are at least 2048 bits and ECDSA keys use secure curves. Best Practice: Use 2048-bit RSA minimum, prefer ECDSA P-256 or stronger.
Signature Algorithm Security
Detects weak signature algorithms like SHA-1 and MD5 that are cryptographically broken. Best Practice: Use SHA-256 or stronger hash algorithms.
Certificate Chain Validation
Validates certificate chain structure, path length constraints, and trust relationships. Best Practice: Maintain proper certificate hierarchy and constraints.
Browser-Specific Requirements
Mozilla Root Store Policy
Validates compliance with Mozilla's Certificate Authority Certificate Policy requirements. Best Practice: Follow Mozilla guidelines for broad browser compatibility.
Apple Certificate Transparency
Checks for Certificate Transparency compliance and SCT requirements for Apple platforms. Best Practice: Include SCTs for certificates used on Apple platforms.
Chrome Certificate Policies
Validates against Chrome's certificate requirements and security policies. Best Practice: Follow Chrome's evolving security requirements.