Ignisfox
Tool

Certificate chain validator

Paste a PEM bundle. We walk each link — leaf → intermediate → root — verify signatures, check validity windows, and flag weak algorithms. Great for sanity-checking a bundle before you deploy it.

One or more -----BEGIN CERTIFICATE----- blocks concatenated in chain order. Usually leaf first, root last. Key material is never required — paste-and-forget.

What gets checked

  • Every cert parses as valid X.509 PEM
  • Signatures verify between adjacent certs (leaf signed by intermediate, intermediate signed by root)
  • Expiry / not-yet-valid windows
  • Weak signature algorithms (MD5, SHA-1) and weak keys (RSA < 2048-bit)
  • Self-signed root detection (complete chain)

Not checked (yet)

  • Trust against OS / browser root store — we tell you the chain is internally consistent, not that a browser will trust it
  • OCSP / CRL revocation status
  • Certificate Transparency embedded SCTs
  • CAB/Forum profile compliance