PKI

Check whether an ACME DNS-01 challenge is ready, with TXT matching, delegation-route checks, resolver comparison, and retry timing.

Check ACME HTTP-01 retry readiness by testing the host, token body, redirects, IPv6, cache, CDN or WAF, and backend sync evidence.

Check DNS, CNAME, HTTP, and HTTPS DCV proofs before a certificate retry, with CSR-hash handling, resolver evidence, and mismatch notes.

Check a hostname's CAA policy with CNAME and parent-DNS lookup evidence, wildcard rules, issuer findings, and resolver comparison notes.

Review certificate inventory CSV rows in your browser, rank expiry urgency, owner gaps, manual renewal risk, and public TLS lifetime findings.

Plan TLS certificate renewals from population, validity, lead time, spread, daily capacity, retry reserve, and safety buffer before expiry.

Decode a CSR locally, check SAN coverage and key strength, and review signature, fingerprints, expected-host matches, and readiness notes.

Generate an RSA CSR in your browser, review SANs, key usage, fingerprints, and OpenSSL config, then export PEM without sending keys.

Check a TLS certificate fingerprint against public CT data, compare hostname and issuer evidence, and keep revocation or reporting clues in view.

Validate DANE TLSA records for mail or TLS services with owner-name routing, DNSSEC AD checks, digest comparison, and readiness scoring.

Generate a DKIM DNS TXT record from a selector, domain, and public key with key-strength checks, split-string guidance, and DNS publish fields.

Convert JWK or JWKS JSON into SPKI public or PKCS#8 private PEM, with local validation, thumbprints, and clear key-family checks.

Check an email domain's MTA-STS TXT record, HTTPS policy, MX coverage, cache window, and policy-host certificate before enforce mode.

Split PEM bundles into certificates, CSRs, keys, and other BEGIN/END blocks with line spans, byte counts, and SHA-256 checks before export.

Convert RSA PEM keys between PKCS#1, PKCS#8, encrypted private, and public wrappers with local parsing, fingerprints, and export checks.

Check whether a TLS leaf certificate belongs with a candidate issuer CA, with signature proof, DN checks, CA flag status, expiry risk, and policy scoring.

Check a live host or pasted PEM chain for missing issuers, hostname mismatch, expiry risk, weak crypto, and install-ready certificate bundles.

Check a public hostname with SSL Labs evidence, spot weak TLS endpoints, chain gaps, legacy protocols, and renewal risk in a fix queue.

Check a live TLS host for certificate expiry, renewal timing, SAN coverage, issuer, serial, and fingerprints before outages reach users.

Match a TLS certificate against a CSR or RSA private key with SPKI pin comparison, chain warnings, encrypted-key handling, and exportable evidence.

Check OCSP revocation evidence for a public TLS host or pasted certificate, with responder status, freshness timestamps, warnings, and replay text.

Convert PEM, DER, P7B, and PFX certificates in your browser, inspect chain expiry and key handling, and download the right artifact.

Decode SSL certificate text or files locally, inspect SAN names, dates, fingerprints, usage fields, and chain entries before deployment checks.

Estimate TLS handshake CPU from request rate, connection reuse, full versus resumed costs, and surge peaks so edge capacity plans have room.

Trace a live TLS endpoint, inspect SNI, ALPN, cipher, certificate chain, and phase timings, and separate DNS, TCP, and TLS failures.

Validate a TLS-RPT record, review rua report destinations and related mail-policy signals, and build a DNS TXT snippet for publishing.