Paste one or more certificates to order them leaf → intermediate → root, verify each link and flag gaps and expiry — everything runs locally, certificates never leave your browser
Paste one or more PEM certificates (-----BEGIN CERTIFICATE-----), in any order — the whole chain is fine. They are ordered and verified automatically.
The most common SSL/TLS misconfiguration is an incomplete or out-of-order certificate chain: a browser may trust it, but some clients, mobile apps and older systems fail because an intermediate certificate is missing. This tool takes the certificates you paste (in any order) and orders them leaf → intermediate → root entirely in your browser, verifies that each certificate is signed by the next, and clearly flags missing intermediates, broken links, self-signed roots and certificates that are expiring or already expired.
Everything runs client-side with node-forge — pasted certificates are only parsed in your browser, never uploaded, which you can confirm in your browser's Network panel. Once analyzed, you can copy or download the reordered full-chain PEM and drop it straight into your Nginx, Apache or load balancer configuration.
TLS expects the server to present certificates in leaf → intermediate → root order and to include the intermediate(s). If the order is wrong or an intermediate is missing, some clients cannot build a path to a trusted root and the handshake fails. This tool reorders the chain and points out any gaps.
If a certificate shows "Issuer not found", its issuer (usually an intermediate CA) is not among the certificates you pasted. Download the matching intermediate from your certificate authority and paste it too — once the chain is complete the status becomes "complete and valid".
No. All parsing and signature verification run with node-forge inside your browser. Certificates never leave your device and no network requests are made.
This tool verifies signatures with node-forge, which is most reliable for RSA chains; some algorithms such as EC may not verify and get flagged even though the certificate is valid. In that case, use the Certificate Decoder to cross-check each subject, issuer and validity period.