SSL CA Matcher

Issuer Trust Decision

Trust score {{ trustScore }}/100 · {{ validitySummary }}

Leaf {{ result.leaf.subjectCN }} Issuer {{ result.issuer.subjectCN }} {{ signatureBadgeLabel }} {{ policyBadgeLabel }} {{ validityBadgeLabel }}

Decision profile:

Choose the review mode before comparing the leaf and issuer certificates.

Leaf certificate:

Paste or drop one leaf PEM, CRT, or CER certificate block.

Drop leaf PEM, CRT, CER, or TXT onto the textarea.

Issuer certificate:

Paste or drop the candidate root or intermediate CA PEM, CRT, or CER.

Drop issuer PEM, CRT, CER, or TXT onto the textarea.

Issuer role expectation:

Use Intermediate CA for most leaf-to-issuing-CA checks; root only for direct root pairs.

Require DN alignment:

Leave on for deployment; disable only when triaging naming mismatches.

Require CA flag:

Keep on unless you are documenting why a non-CA issuer was supplied.

Enforce validity windows:

Turn off only for signature-focused diagnostics where dates are reviewed elsewhere.

Expiry guardrail:

Enter 0 or more days; Deployment gate defaults to 30.

days

Field	Value	Copy
{{ row.k }}	{{ row.v }}

Section	Note	Copy
Gate finding	{{ note }}
Recommended next move	{{ note }}

Embed:

Customize

Include current inputs

Size

Advanced

Width

Height

Aspect ratio

Max height

Collapsible embed

Allow fullscreen

Referrer policy

Sandbox tokens

Certificate authority trouble often looks like a vague trust-store problem until the actual issuer relationship is checked. A server can present a certificate with the expected hostname, current dates, and a familiar organization name while still missing the intermediate certificate that signed it. The opposite can happen too: a pasted issuer file may come from the right CA family but not from the exact key that signed the leaf certificate.

A leaf certificate is the end-entity certificate for a site, service, device, or client identity. An issuer certificate is the certificate whose public key should verify the leaf certificate signature. In most public and private TLS deployments that issuer is an intermediate CA, not the root. Root certificates are trusted because a client or organization has already accepted them as trust anchors, while intermediates do the day-to-day signing underneath those roots.

Name matching and signature matching are different checks. The leaf issuer distinguished name can line up with the issuer certificate subject distinguished name, yet the signature can still fail if the wrong cross-sign, old intermediate, or unrelated CA key was supplied. Basic Constraints add another safeguard by marking whether the candidate issuer is allowed to act as a CA. Dates matter separately because a correct issuer relationship is not deployment-ready when either certificate is not yet valid, expired, or too close to expiry for the rollout window.

Issuer matching concepts for TLS certificates
Concept	What it checks	Common mistake
Signature relationship	The leaf signature verifies with the candidate issuer public key.	Assuming a similar CA name is enough.
DN alignment	The leaf issuer name matches the issuer certificate subject name.	Ignoring a renamed or cross-signed intermediate.
CA capability	The issuer certificate is marked as a CA in Basic Constraints.	Treating an end-entity certificate as an issuer.
Validity window	Both certificates are usable now and have enough remaining lifetime.	Checking only the leaf expiry date.

Leaf certificate issuer name and candidate issuer CA subject name with a signature check and rollout confidence decision

Pairwise issuer checks are useful during renewals, certificate-chain incidents, private PKI migrations, load balancer cutovers, and support-ticket triage. They reduce a noisy TLS failure to one concrete question before a full path validator considers alternate chains, trust stores, certificate purpose, subject alternative names, revocation, and application policy.

A passing issuer pair is still only part of TLS trust. It says the supplied leaf and candidate issuer look related under the selected policy. It does not prove that every client will build the same chain, that the hostname is covered, or that the certificate should be accepted after revocation or local security rules are applied.

How to Use This Tool:

Pick the review profile first, then compare one leaf certificate against one candidate issuer certificate.

Select Deployment gate for the strict rollout default, Incident triage for a live debugging pass, or Chain diagnostics when you need relaxed evidence gathering.
Paste or upload the end-entity certificate in Leaf certificate. PEM, CRT, CER, and TXT-style text files are accepted; if the text contains a chain, the first certificate block is assessed.
Paste or upload the candidate CA in Issuer certificate. For ordinary server certificates, use the immediate intermediate CA named by the leaf issuer field rather than a root from the same brand.
Open Advanced only when the policy needs adjustment. Issuer role expectation, Require DN alignment, Require CA flag, Enforce validity windows, and Expiry guardrail change the local verdict and score.
Choose Assess Chain. If an input error appears, check that both fields contain complete BEGIN CERTIFICATE and END CERTIFICATE blocks and not a private key, CSR, command output, or partial file.
Read Evidence Matrix first. It reports the verdict, trust score, active profile, signature result, issuer DN alignment, CA flag, validity dates, remaining days, fingerprints, and warning text.
Use Risk Briefing for the recommended next action, Trust Pulse for the score split across cryptographic confidence, policy compliance, and validity posture, and JSON for a structured record of the assessment settings and evidence.

Interpreting Results:

GO: Issuer Trusted means the supplied pair passed the active local policy. REVIEW: Needs Analyst Sign-off means the cryptographic relationship may be usable but a policy, role, score, or date concern needs review. BLOCK: Trust Conditions Failed means the signature failed or the remaining evidence is too weak for the selected profile.

The signature result carries the most weight because it tests the candidate issuer public key against the leaf signature. DN alignment, CA capability, and validity are supporting checks that prevent a good-looking name or current date from being overread. A high score should lead to full chain validation, not replace it.

SSL CA matcher result cues and follow-up checks
Cue	Meaning	Follow-up
Signature verified	The leaf signature validates with the supplied issuer public key.	Confirm the same issuer appears in the deployed certificate chain.
Issuer DN mismatch	The leaf issuer distinguished name does not line up with the issuer subject distinguished name.	Look for the immediate intermediate, especially around cross-signs and renewals.
Issuer has no CA flag	The candidate issuer is not confirmed as CA-capable.	Do not treat the pair as deployment-ready until the proper CA certificate is found.
Validity at risk	One certificate is outside its current date window or below the remaining-day guardrail.	Compare the remaining days with the rollout, renewal, or incident window.

Technical Details:

X.509 issuer evidence combines a cryptographic signature test with profile and date checks. The cryptographic test answers whether the leaf certificate was signed by the candidate issuer key. The profile checks compare issuer and subject distinguished names, check the candidate issuer's CA status, and evaluate certificate validity windows against the current clock.

Basic Constraints is important because a certificate used for CA work must be marked as CA-capable. Full certification path validation can also consider key usage, extended key usage, name constraints, policy constraints, trust-anchor selection, revocation data, and alternate issuers. Pairwise evidence is narrower: it tests one leaf against one supplied candidate issuer.

Formula Core:

The trust score is the rounded sum of signature, policy, and validity points, clamped to the 0 to 100 range.

S = clamp (round (S_{signature} + S_{policy} + S_{validity}), 0, 100)

S is the displayed trust score. The expiry guardrail is bounded from 0 to 3650 days before it contributes to the validity group.

Trust score components for SSL CA matching
Component	Scoring rule	Boundary
Signature	45 points when the leaf signature verifies with the supplied issuer public key, otherwise 0.	A failed signature is a hard failure.
DN alignment	15 points when strict DN alignment is required and names match. With strict alignment off, a match gives 12 points and a mismatch gives 4 points.	Strict mode records a policy failure on mismatch.
CA capability and role	15 points when CA enforcement is required and the issuer is marked as a CA. With enforcement off, a CA issuer gives 12 points and a non-CA or unknown issuer gives 4 points. Root expectation can add 5 points; intermediate expectation can add 3 points.	The role expectation affects local readiness scoring, not client trust-store acceptance.
Validity	With validity enforcement on, current leaf and issuer windows give 6 points each, and each certificate meeting the remaining-day guardrail gives 4 more points. With enforcement off, the validity group contributes 20 points.	Expired or not-yet-valid certificates still produce warnings when enforcement is relaxed.

Rule Core:

The verdict combines the score with hard, policy, and validity failures. The same certificate evidence can move between GO, REVIEW, and BLOCK when the profile changes.

SSL CA matcher verdict rules by profile
Profile	GO condition	Review or block condition
Deployment gate	No hard, policy, or validity failure and score at least 85.	Review when the score is at least 65 and the signature passed; otherwise block.
Incident triage	Signature passes, score is at least 70, and no policy or validity failure remains.	Signature failure blocks. Lower score, policy failure, or validity failure becomes review.
Chain diagnostics	Signature passes, score is at least 60, and no policy or validity failure remains.	Signature failure blocks. Policy, validity, or lower-score concerns become review.

The parsed evidence includes subject and issuer names, common names when present, serial numbers, validity dates, signature algorithm, SHA-256 fingerprints, and CA status. Only the first certificate block in each field is assessed, so pasted chains must put the intended leaf and issuer certificates first.

A complete TLS acceptance test still needs a path validator or live client check with the intended chain order, trust store, hostname, revocation policy, and certificate purpose. Use pairwise issuer evidence to decide which candidate issuer deserves that deeper validation.

Privacy and Scope Notes:

The certificate text is submitted to a remote validation service for parsing and signature verification. Public certificates do not contain private keys, but they may expose internal hostnames, organization names, serial numbers, issuer relationships, and renewal timing. Never paste private keys or CSRs into these certificate fields, and avoid submitting certificate material your organization treats as sensitive unless that data path is acceptable.

Worked Examples:

Renewed leaf with the right intermediate. A renewed certificate for api.example.test is compared with the intermediate named in its issuer field. Evidence Matrix reports Signature Valid as Yes, Issuer DN Matches Leaf Issuer as Yes, Issuer Has CA Flag as Yes, and both certificates clear the 30-day Expiry guardrail. Under Deployment gate, that is a strong candidate for full chain validation.

Root pasted during an incident. A support engineer supplies a root certificate from the same CA family instead of the immediate intermediate. The names look plausible, but Signature Valid and Issuer DN Matches Leaf Issuer fail, pushing the verdict to BLOCK: Trust Conditions Failed. The useful fix is to find the signing intermediate and rerun the pair.

Short lifetime before a rollout. Signature, DN, and CA checks pass, but Leaf Days Remaining is 5 while the deployment guardrail is 30. The issuer relationship may be correct, yet the result needs review because the rollout window is longer than the remaining certificate lifetime.

Diagnostic exception with relaxed policy. A legacy pair verifies cryptographically but fails strict DN alignment. In Chain diagnostics, the result can stay in REVIEW: Needs Analyst Sign-off so the evidence can be attached to a ticket without implying deployment readiness.

FAQ:

Does GO mean every client will trust the certificate?

No. GO: Issuer Trusted means the supplied leaf and issuer passed the selected local profile. Client trust still depends on the full chain, trust anchor, hostname, revocation policy, and client-specific rules.

Should I paste the root CA or the intermediate CA?

Use the immediate issuer when possible. A root from the same organization may be a trust anchor, but it often will not verify the leaf signature when an intermediate CA signed the leaf.

Why did switching profiles change the verdict?

The profiles change policy switches, guardrail days, and score thresholds. The certificate evidence can stay the same while Deployment gate, Incident triage, and Chain diagnostics apply different acceptance rules.

What usually causes an invalid PEM error?

The field may be missing a certificate boundary, contain a private key or CSR, or include copied terminal text around the PEM block. Paste one complete certificate block into each field and run Assess Chain again.

Can I paste a full certificate chain?

You can paste text with multiple certificates, but only the first certificate block in each field is assessed. Put the leaf first in Leaf certificate and the candidate issuer first in Issuer certificate.

Glossary:

Leaf certificate: The end-entity certificate used by a site, service, device, or identity.
Issuer certificate: The candidate certificate whose public key should verify the leaf certificate signature.
Intermediate CA: A certificate authority below a root and above the leaf in a certificate chain.
Distinguished name: The structured X.509 name used in certificate issuer and subject fields.
Basic Constraints: The X.509 extension that indicates whether a certificate may act as a CA.
Trust anchor: A root or configured certificate that a client or policy already accepts as trusted.

References:

RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List Profile, RFC Editor, May 2008.
RFC 4158: Internet X.509 Public Key Infrastructure: Certification Path Building, RFC Editor, September 2005.
openssl-verification-options, OpenSSL Documentation.
How to verify a certificate chain using OpenSSL, Simplified Guide.