Your all-in-one browser-based toolkit for SSL certificate management. Generate self-signed certificates, decode CSRs, and verify certificate details securely and efficiently.
Create a private key and a self-signed X.509 certificate. Ideal for development, testing, or internal use cases where a CA-signed certificate is not required.
Generate free 90-day SSL/TLS certificates directly in your browser via ZeroSSL. Private keys are generated locally and never leave your device. Certificates are fully trusted by all major browsers.
Convert certificates and keys between common formats, including PEM, DER, P7B, and PFX. A versatile tool for ensuring interoperability.
Decode any PEM-encoded SSL certificate to inspect its details, such as the subject, issuer, signature algorithm, and expiration date.
Paste your Certificate Signing Request (CSR) to instantly decode and verify its contents, including the common name, organization, and public key.
Generate a Certificate Signing Request (CSR) and a new private key to send to a Certificate Authority for signing.
Command reference to convert Java KeyStore (JKS) and PKCS#12 (.p12/.pfx). Includes a client‑side PKCS#12 validator and JKS → PKCS#12 converter. The converter attempts to decrypt the private key from JKS with your password; if it is not decryptable, upload the matching private key PEM to export PKCS#12.
keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.p12 -deststoretype PKCS12keytool -importkeystore -srckeystore keystore.p12 -srcstoretype PKCS12 -destkeystore keystore.jks -deststoretype JKSkeytool -list -v -keystore keystore.jksProfessional SSL certificate management made simple. Generate, manage, and monitor your SSL certificates with ease.
Thank you! We'll notify you when we launch.
Use this generator to create a new RSA private key and self-signed X.509 certificate entirely in your browser. Configure subject fields (CN, O, OU, L, ST, C), choose key size (2048/4096), set validity, and select the signing algorithm. Outputs are PEM‑encoded files, including an optional CSR, and no data leaves your device.
Create a Certificate Signing Request (CSR) from an existing private key or generate a new RSA key on the fly. Set subject attributes and add Subject Alternative Names (SANs). The result is a PEM CSR beginning with -----BEGIN CERTIFICATE REQUEST-----. For security, keep private keys local.
Generate a new RSA private and public key pair.
Upload leaf and intermediate certificates to auto-order, validate, and export a bundle.
Build commands for extracting public keys, verifying chains, and checking OCSP locally. When you upload a certificate, the OCSP URL is auto‑populated from its AIA extension when available; you can edit or override the URL manually.
Use this CSR Decoder to decode your Certificate Signing Request and verify that it contains the correct information. A Certificate Signing Request is a block of encoded text that contains information about the company that an SSL certificate will be issued to and the SSL public key. Once a CSR is created, it is difficult to verify what information is contained in it because it is encoded. Since certificate authorities use the information in CSRs to create the certificate, you need to decode CSRs to make sure the information is accurate. To check CSRs and view the information encoded in them, simply paste your CSR into the box below or by drag & dropping the CSR file in the text box and our CSR Decoder will do the rest. If you are pasting, your CSR should start with "-----BEGIN CERTIFICATE REQUEST----- " and end with "-----END CERTIFICATE REQUEST----- ".
If you want to decode CSRs on your own computer, run this OpenSSL command:
openssl req -in request.csr -text -nooutUse this Certificate Decoder to decode your PEM encoded SSL certificate and verify that it contains the correct information. A PEM encoded certificate is a block of encoded text that contains all of the certificate information and public key. Another simple way to view the information in a certificate on a Windows machine is to just double-click the certificate file. You can use this certificate viewer by simply pasting the text of your certificate into the box below or by drag & dropping the file in the text box and the Certificate Decoder will do the rest. If you are pasting your certificate, it should start with "-----BEGIN CERTIFICATE----- " and end with "-----END CERTIFICATE----- ".
If you want to decode certificates on your own computer, run this OpenSSL command:
openssl x509 -in certificate.crt -text -nooutConvert SSL certificates between PEM, DER, P7B (PKCS#7), and PFX (PKCS#12) formats. Upload or drag‑and‑drop, auto‑detect the source type or select it manually, then choose the target format. For PFX export, provide the matching private key and optional CA chain. Conversions run client‑side; see the OpenSSL command reference below for local equivalents.
For maximum security, it’s best to perform all conversions to and from .pfx files on your own machine using OpenSSL. Because .pfx bundles include the private key, handling them locally ensures the key never leaves your system or passes through any external service. The following OpenSSL commands allow you to safely convert SSL certificates between formats directly on your device, keeping full control of your private key at all times.
openssl x509 -outform der -in certificate.pem -out certificate.deropenssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CACert.ceropenssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crtopenssl x509 -inform der -in certificate.cer -out certificate.pemopenssl pkcs7 -print_certs -in certificate.p7b -out certificate.ceropenssl pkcs7 -print_certs -in certificate.p7b -out certificate.ceropenssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CACert.ceropenssl pkcs12 -in certificate.pfx -out certificate.cer -nodesVerify that a private key matches a certificate's public key.
Reproduce the Key–Certificate Checker results on your machine using OpenSSL. These commands derive the public key from the private key and from the certificate, then compare fingerprints.
openssl pkey -in key.pem -pubout -outform DER | openssl sha256openssl x509 -in cert.pem -pubkey -noout | openssl pkey -pubin -outform DER | openssl sha256If both fingerprints match exactly, the private key corresponds to the certificate’s public key.
openssl rsa -in key.pem -noout -modulus | openssl md5openssl x509 -in cert.pem -noout -modulus | openssl md5Working with PKCS#12 (.pfx) files:
openssl pkcs12 -in certificate.pfx -nocerts -nodes -out key.pemopenssl pkcs12 -in certificate.pfx -clcerts -nokeys -out cert.pemAfter extracting, run the SHA‑256 fingerprint commands above and compare outputs.
bash -c 'K=key.pem; C=cert.pem; KF=$(openssl pkey -in "$K" -pubout -outform DER | openssl sha256 | awk "{print \$2}"); CF=$(openssl x509 -in "$C" -pubkey -noout | openssl pkey -pubin -outform DER | openssl sha256 | awk "{print \$2}"); if [ "$KF" = "$CF" ]; then echo MATCH: $KF; else echo MISMATCH; echo Key: $KF; echo Cert: $CF; fi'$K='key.pem'; $C='cert.pem'; $KF = (openssl pkey -in $K -pubout -outform DER | openssl sha256) -replace '.*= ', ''; $CF = (openssl x509 -in $C -pubkey -noout | openssl pkey -pubin -outform DER | openssl sha256) -replace '.*= ', ''; if ($KF -eq $CF) { Write-Output ('MATCH: ' + $KF) } else { Write-Output 'MISMATCH'; Write-Output ('Key: ' + $KF); Write-Output ('Cert: ' + $CF) }Answers to common SSL topics including formats, conversions, CSRs, and verification. Commands are provided where applicable.
-----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----. PEM can contain certificates, private keys, or bundles, and is the most common format for web servers.openssl x509 -outform der -in certificate.pem -out certificate.deropenssl pkcs12 -in certificate.pfx -out certificate.cer -nodes