SSL CA Matcher

Issuer Trust Decision

Trust score {{ trustScore }}/100 · {{ validitySummary }}

Leaf {{ result.leaf.subjectCN }} Issuer {{ result.issuer.subjectCN }} {{ signatureBadgeLabel }} {{ policyBadgeLabel }} {{ validityBadgeLabel }}

Decision profile:

Choose the review mode before comparing the leaf and issuer certificates.

Leaf certificate:

Paste or drop one leaf PEM, CRT, or CER certificate block.

Drop leaf PEM, CRT, CER, or TXT onto the textarea.

Issuer certificate:

Paste or drop the candidate root or intermediate CA PEM, CRT, or CER.

Drop issuer PEM, CRT, CER, or TXT onto the textarea.

Issuer role expectation:

Use Intermediate CA for most leaf-to-issuing-CA checks; root only for direct root pairs.

Require DN alignment:

Leave on for deployment; disable only when triaging naming mismatches.

Require CA flag:

Keep on unless you are documenting why a non-CA issuer was supplied.

Enforce validity windows:

Turn off only for signature-focused diagnostics where dates are reviewed elsewhere.

Expiry guardrail:

Enter 0 or more days; Deployment gate defaults to 30.

days

Field	Value	Copy
{{ row.k }}	{{ row.v }}

Section	Note	Copy
Gate finding	{{ note }}
Recommended next move	{{ note }}

Export to PDF Fullscreen

Embed:

Customize

Include current inputs

Size

Advanced

Width

Height

Aspect ratio

Max height

Collapsible embed

Allow fullscreen

Referrer policy

Sandbox tokens

TLS chain problems often start with a simple mismatch. A leaf certificate can still be inside its validity window and still fail in practice because the wrong intermediate is attached, the candidate issuer is not actually a CA certificate, or the pair does not fit the local rollout policy you care about.

This checker focuses on that narrow decision. You paste one leaf certificate and one candidate issuer certificate, choose a decision profile, and the page turns that pair into a headline verdict, a local trust score, an evidence matrix, a risk briefing, a Trust Pulse chart, and a JSON bundle you can hand to someone else.

That makes it useful when you are comparing candidate intermediates during a renewal, checking whether an outage was caused by the wrong issuer being bundled, or collecting quick evidence before a deeper PKI review. It is much less useful when the real question is broader, such as whether a browser trusts the full path, whether hostname coverage is correct, or whether the certificate has been revoked.

Keep the scope narrow as you read the result. This page compares one leaf with one candidate issuer and then scores the match against its own local rules. It does not build a full certification path to a trust anchor, consult operating-system trust stores, check revocation, or validate hostnames against subject alternative names.

One leaf and one candidate issuer go in. The page turns the pair into raw evidence, profile-specific scoring, and exportable review material.

Use the result as a fast pair-check and a documentation aid. Make the final trust call with a fuller chain-validation workflow once you know which issuer relationship looks plausible.

Technical Details

The helper accepts two PEM inputs and uses the first certificate block it finds in each field. From those two certificates it returns the parsed subject and issuer distinguished names, common names, serial numbers, validity dates, SHA-256 fingerprints, the issuer CA boolean when available, and a short warning list. The on-page evidence matrix is built directly from that returned data plus the local assessment values.

The strongest signal on this page is the issuer-fit check. The certificate API used by the helper treats that check as a way to ask whether the leaf was potentially issued by the supplied issuer by comparing certificate metadata, while public-key signature verification remains a separate operation. On this page, the Signature verified badge therefore means that the supplied issuer looks like a plausible issuer for the leaf. It does not mean that the full certification path has been built and trusted by a client.

Policy scoring is then added on top of the helper output. Strict DN mode compares the parsed issuer string from the leaf with the parsed subject string from the candidate issuer. CA enforcement looks only at the issuer certificate's CA boolean. Validity posture is calculated in the browser from the returned validity start and end dates plus your current browser clock, so skewed local time can change the day counts.

trust score = min(100, cryptographic confidence + policy compliance + validity posture)

How the SSL CA matcher builds its local trust score
Score component	How points are added here	What the component is really telling you
Cryptographic confidence	`55` points when the issuer-fit check passes, otherwise `0`.	This is the page's main yes or no signal for whether the supplied issuer looks compatible with the leaf.
Policy compliance	Strict DN mode gives `20` points only for a DN string match. Relaxed DN mode gives `18` for a match or `8` for a mismatch. CA enforcement gives `15` points only when the issuer is marked as a CA; relaxed CA mode gives `12` for a CA issuer or `7` otherwise. The issuer-role selector adds `5` for `Root CA` or `3` for `Intermediate CA` when the candidate issuer is marked as a CA.	This is a local rollout model, not an industry-standard PKI score. It tells you how closely the pair matches the page's policy switches.
Validity posture	When validity enforcement is on, the page adds `10` points each for a currently valid leaf and issuer, plus `5` points each for meeting the expiry guard. When validity enforcement is off, this component starts at `20` and only adds warnings when either certificate is already outside its validity window.	This separates issuer-fit questions from operational timing risk. A near-expiry pair may still be the right pair.

Decision profiles and verdict logic used by the SSL CA matcher
Profile	Default switches	How the verdict is assigned
Deployment gate	Strict DN on, CA enforcement on, validity enforcement on, expiry guard `30` days.	`GO` requires an issuer-fit pass, no policy failures, no validity failures, and a trust score of at least `85`. Otherwise the result becomes `REVIEW` when the score stays at least `65` and the issuer-fit check passed, or `BLOCK` when the pair is too weak for rollout.
Incident triage	Strict DN off, CA enforcement on, validity enforcement off, expiry guard preset `7` days.	An issuer-fit failure blocks immediately. Otherwise a score below `70`, or any remaining policy or validity issue, leads to `REVIEW`. The `7`-day guard matters only if you turn validity enforcement back on in the advanced panel.
Chain diagnostics	Strict DN off, CA enforcement off, validity enforcement off, expiry guard `0` days.	Only an issuer-fit failure blocks immediately. Other problems usually land on `REVIEW`, which keeps more evidence visible while you compare candidate issuers or gather ticket notes.

The score is best read as a local decision aid, not as a percentage of real-world trust. Some combinations can exceed one hundred raw points, and the page clamps the displayed total back to 100. A high score therefore means the pair matched this page's rules well, not that a standard body has assigned an official grade.

Two limits deserve special attention. First, the page posts both PEM inputs to a helper endpoint, so the certificates do not stay local to the browser. Second, the Root CA expectation changes the scoring weight only; it does not prove that the candidate issuer is self-signed, is present in a trust store, or can anchor a valid path on its own.

Everyday Use & Decision Guide

Start with the profile that matches the decision you actually need to make. Deployment gate is the best default when you are deciding whether a leaf and an intermediate belong together for production rollout. Incident triage is better when you need a quick answer during an outage and can tolerate looser date handling for the first pass. Chain diagnostics is the broadest review mode when you are still sorting through several candidate issuers.

The page is strongest when you already know which two certificates you want to compare. It is weak when the missing piece is somewhere else in the chain. If you still need to discover the correct intermediate, prove revocation state, confirm trust-anchor selection, or check whether the server is presenting the full chain in the right order, treat this page as one checkpoint rather than the whole workflow.

Paste one certificate block in each field. If you paste a bundle, only the first certificate block in that text is used.
Upload is convenient for .pem, .crt, .cer, or plain-text certificate files, but the file loader still fills only one field at a time.
Leave Issuer role expectation on Intermediate CA unless you truly expect the candidate issuer to be a root certificate.
If the result shifts mainly because of remaining-day warnings, the issuer pairing may still be correct even though the operational timing is poor.
Use the evidence matrix or JSON output when the result needs to be attached to a ticket, change record, or handoff note.

A sensible pattern is to use this page to narrow the likely issuer first, then rerun the same material in a full chain validator with the intended intermediates and trust anchors. That keeps the pair-selection job separate from the broader client-trust job.

Step-by-Step Guide

Choose a profile before you paste anything. Use Deployment gate for rollout review, Incident triage for fast incident sorting, or Chain diagnostics when you want the broadest evidence set.
Paste one leaf certificate into Leaf certificate (PEM) and one candidate issuer into Issuer certificate (PEM). If you prefer file upload, the page places the uploaded certificate into the first empty certificate field.
Open Advanced only when you need to change the issuer-role expectation, disable or enable strict DN alignment, disable or enable CA enforcement, disable or enable validity-window checks, or change the expiry guard in days.
Click Assess Chain. The summary strip shows the headline verdict, the trust score, the leaf and issuer badges when common names are available, and the signature, policy, and validity status badges.
Read Evidence Matrix first. That table gives you the pair's raw identifiers, dates, fingerprints, boolean checks, and helper warnings in a copyable format. You can copy the table as CSV, download it as CSV, or export the same evidence as DOCX.
Open Risk Briefing next. The gate findings summarize what the page saw, and the recommended next move tells you whether to proceed, stop, or escalate into manual PKI review.
Use Trust Pulse when you want a visual split between cryptographic confidence, policy compliance, and validity posture. The chart can be downloaded as PNG, WEBP, JPG, or CSV.
Open JSON when you need the full structured bundle, including the active policy switches and the local assessment object. Copy or download it if another reviewer needs the exact state that produced the result.

Interpreting Results

The headline verdict should be read together with the evidence fields, not by itself. GO means the leaf and issuer pair fit the selected local policy well enough to pass that profile. REVIEW means there is still enough evidence of a plausible match to keep looking, but some combination of policy or timing risk needs a human decision. BLOCK means the pair failed badly enough that the page sees no safe reason to continue under the current profile.

How to interpret SSL CA matcher result states
Displayed state	What it usually means	Good next move
`GO`	The supplied issuer looks plausible for the leaf and the pair cleared the active profile's score and rule checks.	Keep the evidence if needed, then move to fuller chain validation before deployment or final sign-off.
`REVIEW`	The pair may still be related, but the page found policy friction, timing risk, or a score that was too weak for an automatic pass.	Read the evidence matrix and briefing carefully, then decide whether the issue is a wrong issuer, a near-expiry certificate, or a profile that is stricter than the current task.
`BLOCK`	The issuer-fit signal failed or the result was too weak to keep moving under the active profile.	Stop using that issuer pair, confirm that the immediate issuing CA is the one you supplied, and rerun with the intended certificate pair.

The badge labels need careful reading too. Signature verified is the page's issuer-fit signal, not a browser-trust guarantee. Policy mismatch means one of the local switches rejected the pair, often because the DN strings did not line up or the issuer was not marked as a CA. Validity at risk can mean a certificate is already outside its validity window, or simply that it has fewer days remaining than the active guard allows.

The most common misread is treating a high trust score as equivalent to full client trust. The page never checks trust stores, revocation, hostname coverage, or the rest of the path. A clean result here is best understood as “this looks like the right issuer pair for the chosen local policy,” not “every TLS client will accept this chain.”

Worked Examples

Routine renewal with the expected intermediate. A team pastes a new leaf certificate and the intermediate that issued it, leaves Deployment gate in place, and sees a clean issuer-fit signal, matching DN strings, a CA-marked issuer, and comfortable remaining validity on both certificates. That is the best-case flow for this page. The result can land on GO, after which the team still needs full chain validation before rollout.

Outage triage with a near-expiry but still valid leaf. The same pair is checked during an incident with Incident triage selected. If the issuer relationship is good and both certificates are still currently valid, the default triage preset can still return GO even when only a few days remain, because validity-window enforcement is off by default in that mode. That is useful for emergency sorting, but it is a reason to switch back to Deployment gate before any lasting decision is made.

Full chain pasted into the issuer field. An operator pastes a whole bundle into the issuer box and the first certificate in that text is not the immediate issuer of the leaf. The page tests only that first block, so the issuer-fit signal fails and the verdict can drop to BLOCK. The fix is not to loosen the profile. The fix is to isolate the intended issuer certificate and rerun the pair.

FAQ:

Does a GO result mean browsers will trust the site?

No. A GO result only means the supplied leaf and issuer pair cleared this page's local checks. Browser trust still depends on the rest of the chain, the trust store, hostname validation, revocation state, and client policy.

What does Signature verified mean on this page?

It means the supplied issuer looks like a plausible issuer for the leaf under the helper's issuer-fit check. It is not the same thing as a full certification-path build and trust decision.

Why can incident triage look lenient about expiry pressure?

Because the default triage preset turns off validity-window enforcement. The page can still show date evidence and warnings, but the expiry guard does not reduce the score unless you turn validity enforcement back on.

Why did the wrong certificate seem to get tested?

The helper uses the first certificate block it finds in each input. If you paste a full bundle, only the first certificate in that text is compared.

Does the page keep my certificates inside the browser?

No. The leaf and issuer PEM values are posted to a helper endpoint for analysis. Treat the input as transmitted certificate data rather than local-only parsing.

Should I choose Root CA or Intermediate CA?

Most leaf certificates should be checked against an intermediate issuer, so that is the safer default. The root option changes the scoring weight only. It does not prove that the candidate issuer is a trusted root.

Glossary:

Leaf certificate: The end-entity certificate being tested against a candidate issuer.
Issuer certificate: The certificate that may have signed the leaf certificate.
Distinguished name (DN): The subject or issuer name string carried inside a certificate. This page compares the parsed strings directly when strict DN mode is enabled.
CA flag: The certificate-authority boolean carried by the issuer certificate. It indicates whether the certificate may be used to verify certificate signatures.
Validity window: The period from a certificate's start date to its end date. The page checks whether both certificates are currently inside that window when validity enforcement is active.
Trust anchor: A certificate or public key that a client already trusts as the starting point for path validation. This page does not select or test trust anchors.

References:

RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile, RFC Editor, May 2008.
Node.js Crypto API: X509Certificate.checkIssued(), Node.js.
Node.js Crypto API: X509Certificate.ca, Node.js.
OpenSSL verify command documentation, OpenSSL Documentation.