Category
Certificates & PKI
Every tool and article in this category, gathered in one place.
Tools
Certificate renewal planner
Work out a TLS certificate's validity, whether it fits the CA/Browser Forum 47-day schedule, and the renewal cadence it implies — all offline.
CSR decoder
Decode a PKCS#10 certificate signing request to read its subject, public key, requested SANs and extensions, and attributes — entirely in your browser.
X.509 Certificate Decoder
Paste a PEM, base64, or hex certificate to read its subject, issuer, validity window, public key, and v3 extensions, with SHA-256 and SHA-1 fingerprints. Runs entirely in your browser.
Articles
Anatomy of an X.509 Certificate
What lives inside a TLS certificate, how the ASN.1/DER bytes are structured, what the v3 extensions actually control, and why decoding a certificate is not the same as trusting it.
ReadPEM, DER, and the certificate file formats
Why the same certificate comes in so many file shapes, what PEM and DER actually are, and what .crt, .pem, .pfx, and .p12 really hold.
ReadCertificate signing requests and how certificates are issued
What a CSR contains, why your private key never leaves your machine, how a CA validates and issues, and how ACME automates the whole exchange.
ReadHow certificate validation actually works
The steps a client runs to decide a certificate is trustworthy: building the chain, checking signatures and dates, matching the name, and enforcing constraints.
ReadCertificate revocation: CRL, OCSP, and short-lived certificates
Why a certificate sometimes needs to be cancelled before it expires, why the classic revocation systems work poorly, and why the industry is shrinking certificate lifetimes instead.
ReadAuthority Information Access: The OCSP and CA Issuers URLs
The AIA extension carries two kinds of pointer: where to ask whether a certificate is revoked (OCSP) and where to fetch the issuer's own certificate (CA Issuers). What each is for, why they are easy to confuse, and what the inspector shows.
ReadOCSP Must-Staple: Closing the Soft-Fail Gap
Real-time OCSP checking has a fatal weakness: when the responder is unreachable, clients usually proceed anyway. OCSP stapling and the Must-Staple flag are the fix. What the TLS Feature extension declares, and the operational risk it carries.
ReadThe 47-day era: how TLS certificate lifetimes are shrinking
The CA/Browser Forum's SC-081v3 schedule takes maximum public TLS validity from 398 days down to 47 by 2029, in three steps. What the phases are, why 47, and what it does to renewal volume.
ReadCertificate validity windows: notBefore, notAfter, and renewal lead time
How a certificate's lifetime is defined by two timestamps, how that length is measured against the cap, why validity is not the same as time remaining, and how to choose a renewal lead time.
ReadDCV and SII reuse: the validation cadence behind the renewal cadence
Issuing a certificate means proving domain control and, for OV/EV, organization identity. SC-081v3 shrinks how long those proofs can be reused — DCV to 10 days by 2029 — which reshapes renewal as much as validity does.
ReadRenewing before expiry: lead time, ACME, and ARI
Why late renewal causes outages, how ACME automates issuance and renewal, how the ARI extension lets a CA steer the renewal window, and how to pick a lead time that leaves room to retry.
ReadPublic vs private PKI: which certificates SC-081v3 governs
The 47-day schedule binds publicly trusted TLS certificates only. What separates public from private PKI, why internal CAs are exempt, and how to read the planner's compliance verdict for an internal certificate.
Read