Your all-in-one browser-based toolkit for SSL certificate management. Generate self-signed certificates, decode CSRs, and verify certificate details securely and efficiently.
Create a private key and a self-signed X.509 certificate. Ideal for development, testing, or internal use cases where a CA-signed certificate is not required.
Paste your Certificate Signing Request (CSR) to instantly decode and verify its contents, including the common name, organization, and public key.
Decode any PEM-encoded SSL certificate to inspect its details, such as the subject, issuer, signature algorithm, and expiration date.
Generate a Certificate Signing Request (CSR) and a new private key to send to a Certificate Authority for signing.
Quickly generate a new RSA private and public key pair in PEM format, with your choice of key size. Essential for creating new CSRs and certificates.
Convert certificates and keys between common formats, including PEM, DER, P7B, and PFX. A versatile tool for ensuring interoperability.
Command reference to convert Java KeyStore (JKS) and PKCS#12 (.p12/.pfx). Includes a client‑side PKCS#12 validator and JKS → PKCS#12 converter. The converter attempts to decrypt the private key from JKS with your password; if it is not decryptable, upload the matching private key PEM to export PKCS#12.
keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.p12 -deststoretype PKCS12keytool -importkeystore -srckeystore keystore.p12 -srcstoretype PKCS12 -destkeystore keystore.jks -deststoretype JKSkeytool -list -v -keystore keystore.jksProfessional SSL certificate management made simple. Generate, manage, and monitor your SSL certificates with ease.
Thank you! We'll notify you when we launch.
Use this generator to create a new RSA private key and self-signed X.509 certificate entirely in your browser. Configure subject fields (CN, O, OU, L, ST, C), choose key size (2048/4096), set validity, and select the signing algorithm. Outputs are PEM‑encoded files, including an optional CSR, and no data leaves your device.
Create a Certificate Signing Request (CSR) from an existing private key or generate a new RSA key on the fly. Set subject attributes and add Subject Alternative Names (SANs). The result is a PEM CSR beginning with -----BEGIN CERTIFICATE REQUEST-----. For security, keep private keys local.
Generate a new RSA private and public key pair.
Upload leaf and intermediate certificates to auto-order, validate, and export a bundle.
Build commands for extracting public keys, verifying chains, and checking OCSP locally. When you upload a certificate, the OCSP URL is auto‑populated from its AIA extension when available; you can edit or override the URL manually.
Use this tool to decode and verify your PEM‑encoded CSR. A CSR is a text block containing your subject details and public key, typically enclosed between -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST----- tags. Paste your CSR below to review Common Name, SANs, and other fields before submission.
Use this tool to decode and verify your PEM-encoded SSL certificate. A PEM certificate is a text block containing certificate details and the public key, typically enclosed between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- tags. Simply paste your certificate text below to view the decoded information. (Note: On Windows, you can also view certificate details by double-clicking the file.)
Convert SSL certificates between PEM, DER, P7B (PKCS#7), and PFX (PKCS#12) formats. Upload or drag‑and‑drop, auto‑detect the source type or select it manually, then choose the target format. For PFX export, provide the matching private key and optional CA chain. Conversions run client‑side; see the OpenSSL command reference below for local equivalents.
For maximum security, it’s best to perform all conversions to and from .pfx files on your own machine using OpenSSL. Because .pfx bundles include the private key, handling them locally ensures the key never leaves your system or passes through any external service. The following OpenSSL commands allow you to safely convert SSL certificates between formats directly on your device, keeping full control of your private key at all times.
openssl x509 -outform der -in certificate.pem -out certificate.deropenssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CACert.ceropenssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crtopenssl x509 -inform der -in certificate.cer -out certificate.pemopenssl pkcs7 -print_certs -in certificate.p7b -out certificate.ceropenssl pkcs7 -print_certs -in certificate.p7b -out certificate.ceropenssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CACert.ceropenssl pkcs12 -in certificate.pfx -out certificate.cer -nodesVerify that a private key matches a certificate's public key.
Reproduce the Key–Certificate Checker results on your machine using OpenSSL. These commands derive the public key from the private key and from the certificate, then compare fingerprints.
openssl pkey -in key.pem -pubout -outform DER | openssl sha256openssl x509 -in cert.pem -pubkey -noout | openssl pkey -pubin -outform DER | openssl sha256If both fingerprints match exactly, the private key corresponds to the certificate’s public key.
openssl rsa -in key.pem -noout -modulus | openssl md5openssl x509 -in cert.pem -noout -modulus | openssl md5Working with PKCS#12 (.pfx) files:
openssl pkcs12 -in certificate.pfx -nocerts -nodes -out key.pemopenssl pkcs12 -in certificate.pfx -clcerts -nokeys -out cert.pemAfter extracting, run the SHA‑256 fingerprint commands above and compare outputs.
bash -c 'K=key.pem; C=cert.pem; KF=$(openssl pkey -in "$K" -pubout -outform DER | openssl sha256 | awk "{print \$2}"); CF=$(openssl x509 -in "$C" -pubkey -noout | openssl pkey -pubin -outform DER | openssl sha256 | awk "{print \$2}"); if [ "$KF" = "$CF" ]; then echo MATCH: $KF; else echo MISMATCH; echo Key: $KF; echo Cert: $CF; fi'$K='key.pem'; $C='cert.pem'; $KF = (openssl pkey -in $K -pubout -outform DER | openssl sha256) -replace '.*= ', ''; $CF = (openssl x509 -in $C -pubkey -noout | openssl pkey -pubin -outform DER | openssl sha256) -replace '.*= ', ''; if ($KF -eq $CF) { Write-Output ('MATCH: ' + $KF) } else { Write-Output 'MISMATCH'; Write-Output ('Key: ' + $KF); Write-Output ('Cert: ' + $CF) }