Certificate Reader
Read and analyze SSL/TLS certificate files stored on your computer. Inspect certificate details, verify validity, and understand certificate properties.
What is Certificate Reader?
The Certificate Reader lets you:
✅ Read Certificate Files - Open and parse certificate files locally
✅ Drag & Drop - Simply drag certificate files into the tool
✅ Multiple Formats - Support PEM, DER, PKCS#7, PKCS#12
✅ View Details - See all certificate information
✅ Check Validity - Verify expiration and status
✅ Analyze Properties - Understand subject, issuer, extensions
Accessing Certificate Reader
From Keychain Tab
1. Open Keychain tab
2. Click dropdown arrow next to "Generate" button
3. Select "Certificate Reader"
Interface Overview
┌────────────────────────────────────────────────────┐
│ Certificate Reader [×] │
├────────────────────────────────────────────────────┤
│ │
│ 📄 Drop certificate file here │
│ │
│ or │
│ │
│ [Browse for Certificate File] │
│ │
│ Supported formats: │
│ • PEM (.pem, .crt, .cer, .key) │
│ • DER (.der, .cer) │
│ • PKCS#7 (.p7b, .p7c) │
│ • PKCS#12 (.pfx, .p12) │
│ │
│ Recent Files: │
│ • server.crt (5 min ago) │
│ • certificate.pem (1 hour ago) │
└────────────────────────────────────────────────────┘
How to Use
Method 1: Drag & Drop
Easiest way:
1. Find certificate file in file manager
2. Drag file into Certificate Reader window
3. Drop anywhere in the window
4. Certificate details display automatically
Supported drag sources:
- Windows Explorer
- macOS Finder
- Linux file managers
- Desktop
Method 2: Browse for File
Select file manually:
1. Click "Browse for Certificate File"
2. Navigate to certificate location
3. Select certificate file
4. Click "Open"
5. Certificate details display
File locations:
Common locations:
- ~/Downloads/
- ~/.ssh/
- /etc/ssl/certs/
- C:\Users\YourName\Documents\
Method 3: Recent Files
Quick access:
Certificate Reader remembers:
- Last 10 opened files
- File name and path
- When it was opened
Click any recent file to reopen
Supported Certificate Formats
PEM Format
Most common format:
File Extensions: .pem, .crt, .cer, .key
Encoding: Base64
Container: Text file (ASCII)
Example:
-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIJAJC1HiIVF6yqMA0GCSqGSIb3DQEBCwUAMEUx
CzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQK
...
-----END CERTIFICATE-----
Characteristics:
- Human-readable (Base64)
- Can contain multiple certificates
- Most widely supported
- Used by Apache, Nginx, Let's Encrypt
DER Format
Binary format:
File Extensions: .der, .cer
Encoding: Binary (raw ASN.1)
Container: Binary file
Note: Not human-readable
Characteristics:
- Compact (smaller file size)
- Binary format
- Single certificate only
- Used by Java, Windows
PKCS#7 Format
Certificate bundle:
File Extensions: .p7b, .p7c
Encoding: Base64 or Binary
Container: Can contain multiple certificates
Example:
-----BEGIN PKCS7-----
MIIGhgYJKoZIhvcNAQcCoIIGdzCCBnMCAQExADALBgkqhkiG9w0BBwGg
...
-----END PKCS7-----
Characteristics:
- Can contain certificate chain
- No private key
- Used for certificate distribution
- Common in Windows
PKCS#12 Format
Complete package:
File Extensions: .pfx, .p12
Encoding: Binary
Container: Encrypted archive
Password: Usually required
Contains:
✓ Certificate
✓ Private key
✓ Certificate chain (optional)
Characteristics:
- Password protected
- Contains private key
- Complete backup
- Used for import/export
Certificate Information
General Information
┌────────────────────────────────────────────────────┐
│ General Information │
├────────────────────────────────────────────────────┤
│ File: server.crt │
│ Type: X.509 Certificate │
│ Format: PEM │
│ Size: 1,234 bytes │
│ │
│ Version: 3 (0x2) │
│ Serial Number: 04:E5:1D:3A:F8:2B:C9:7E │
│ Signature Algorithm: SHA256withRSA │
│ │
│ Status: ✓ Valid (61 days remaining) │
└────────────────────────────────────────────────────┘
Subject (Certificate Owner)
┌────────────────────────────────────────────────────┐
│ Subject - Who owns this certificate │
├────────────────────────────────────────────────────┤
│ Common Name (CN): example.com │
│ Organization (O): Example Corporation │
│ Organizational Unit (OU): IT Department │
│ Locality (L): San Francisco │
│ State/Province (ST): California │
│ Country (C): US │
│ Email: admin@example.com │
└────────────────────────────────────────────────────┘
Field explanations:
- CN - Domain name or entity name (required)
- O - Company/organization name
- OU - Department/division
- L - City
- ST - State or province
- C - Two-letter country code (ISO 3166)
- Email - Contact email (optional)
Issuer (Certificate Signer)
┌────────────────────────────────────────────────────┐
│ Issuer - Who signed this certificate │
├────────────────────────────────────────────────────┤
│ Common Name (CN): Let's Encrypt Authority X3 │
│ Organization (O): Let's Encrypt │
│ Country (C): US │
└────────────────────────────────────────────────────┘
Issuer types:
- Commercial CA - DigiCert, GlobalSign, etc.
- Free CA - Let's Encrypt, ZeroSSL
- Internal CA - Company-issued
- Self-signed - Issuer = Subject
Validity Period
┌────────────────────────────────────────────────────┐
│ Validity │
├────────────────────────────────────────────────────┤
│ Not Before: Oct 1, 2024 00:00:00 GMT │
│ Not After: Dec 31, 2024 23:59:59 GMT │
│ │
│ Valid For: 91 days total │
│ Remaining: 61 days ✓ │
│ │
│ Status: ✓ Valid │
└────────────────────────────────────────────────────┘
Status indicators:
- ✓ Valid - Current date within valid period
- ⚠ Expires Soon - Less than 30 days remaining
- ✗ Expired - Current date after "Not After"
- ⚠ Not Yet Valid - Current date before "Not Before"
Public Key Information
┌────────────────────────────────────────────────────┐
│ Public Key │
├────────────────────────────────────────────────────┤
│ Algorithm: RSA │
│ Key Size: 2048 bits │
│ Exponent: 65537 (0x10001) │
│ Modulus: 00:C2:D3:E4:... (256 bytes) │
│ │
│ Fingerprint (SHA-256): │
│ AB:CD:EF:01:23:45:67:89:AB:CD:EF:01:23:45:67:89 │
│ AB:CD:EF:01:23:45:67:89:AB:CD:EF:01:23:45:67:89 │
└────────────────────────────────────────────────────┘
Key types:
- RSA - Traditional (2048, 3072, 4096 bits)
- ECDSA - Elliptic Curve (256, 384, 521 bits)
- Ed25519 - Modern (256 bits)
Key strength:
- RSA 1024: ✗ Weak (deprecated)
- RSA 2048: ✓ Standard
- RSA 4096: ✓ High security
- ECDSA 256: ✓ Equivalent to RSA 3072
- Ed25519: ✓ Modern, secure
Signature Algorithm
Signature Algorithm: SHA256withRSA
Common algorithms:
- SHA256withRSA - Current standard ✓
- SHA384withRSA - Higher security ✓
- SHA512withRSA - Highest security ✓
- SHA1withRSA - Deprecated ⚠
- MD5withRSA - Obsolete ✗
Extensions
┌────────────────────────────────────────────────────┐
│ X.509 v3 Extensions │
├────────────────────────────────────────────────────┤
│ ✓ Subject Alternative Names (SAN) │
│ DNS: example.com │
│ DNS: www.example.com │
│ DNS: api.example.com │
│ │
│ ✓ Key Usage: Critical │
│ - Digital Signature │
│ - Key Encipherment │
│ │
│ ✓ Extended Key Usage │
│ - TLS Web Server Authentication │
│ - TLS Web Client Authentication │
│ │
│ ✓ Basic Constraints: Critical │
│ CA: FALSE │
│ │
│ ✓ Subject Key Identifier │
│ 9A:4E:5D:31:... │
│ │
│ ✓ Authority Key Identifier │
│ keyid: A8:4A:6A:63:... │
└────────────────────────────────────────────────────┘
Certificate States
Valid Certificate
✓ Certificate Valid
Status: Active
Expires: Dec 31, 2024 (61 days)
Issuer: Trusted CA
Chain: Complete
Indicators:
- Green checkmark
- Valid dates
- Trusted issuer
- No warnings
Expiring Soon
⚠ Certificate Expiring Soon
Status: Valid but expires soon
Expires: Nov 10, 2024 (14 days)
Action: Plan renewal
Thresholds:
- 30+ days: No warning
- 15-30 days: Yellow warning
- < 15 days: Orange alert
- Expired: Red error
Expired Certificate
✗ Certificate Expired
Status: Expired 15 days ago
Expired: Oct 1, 2024
Action: Replace immediately
Impact:
- Cannot be used for SSL/TLS
- Browsers will reject
- Servers will refuse
- Must be replaced
Self-Signed Certificate
⚠ Self-Signed Certificate
Issuer: Same as Subject
Trust: Not trusted by browsers
Use: Development/testing only
Characteristics:
- Signed by itself
- No CA validation
- Free to create
- Not for production
Use cases:
- ✓ Development environments
- ✓ Testing
- ✓ Internal networks (with import)
- ✗ Public websites
Common Use Cases
1. Verify Certificate Before Installation
Pre-installation check:
Before installing on server:
1. Load certificate in Reader
2. Verify:
✓ Correct domain name
✓ Valid dates (not expired)
✓ Trusted issuer
✓ Contains all SANs
3. Check expiration date
4. Note any warnings
5. Proceed with installation
2. Inspect Certificate After Purchase
Verify from CA:
After receiving from CA:
1. Open certificate file
2. Check subject matches CSR
3. Verify all domains in SAN
4. Check validity period
5. Confirm issuer is correct
6. Save for installation
3. Troubleshoot SSL Issues
Debug certificate problems:
When SSL not working:
1. Export certificate from server
2. Open in Certificate Reader
3. Check for issues:
- Expired?
- Wrong domain?
- Missing SANs?
- Self-signed?
- Weak algorithm?
4. Fix identified issues
4. Compare Certificates
Before/after comparison:
When updating certificate:
1. Open old certificate
2. Note details (domain, expiry)
3. Open new certificate
4. Compare:
- Same domains?
- Later expiry?
- Same/better algorithm?
5. Proceed with replacement
5. Audit Certificate Collection
Inventory management:
For compliance/security:
1. Open each certificate file
2. Document:
- Domain(s)
- Expiration date
- Issuer
- Key type/size
- Location/usage
3. Identify renewals needed
4. Plan upgrades (weak algorithms)
Export & Copy Functions
Copy Certificate Details
[Copy] buttons for each field:
Copy:
- Full certificate details
- Subject DN
- Issuer DN
- Serial number
- Fingerprint
- Public key
- PEM format
Use for:
- Documentation
- Support tickets
- Security reports
- Team communication
Export to File
[Export]
Formats:
- Text (.txt) - Human-readable
- JSON (.json) - Structured data
- PEM (.pem) - Certificate format
Understanding Certificate Chains
Complete Chain
┌────────────────────────────────────────┐
│ Certificate Chain │
├────────────────────────────────────────┤
│ ├─ example.com (End Entity) │
│ │ ├─ Issued by: Intermediate CA │
│ │ └─ Valid until: Dec 31, 2024 │
│ │ │
│ └─ Intermediate CA │
│ ├─ Issued by: Root CA │
│ └─ Valid until: Jan 15, 2028 │
│ │
│ └─ Root CA (Trusted) │
│ ├─ Self-signed │
│ └─ In browser trust store │
└────────────────────────────────────────┘
Status: ✓ Complete and valid
Incomplete Chain
┌────────────────────────────────────────┐
│ Certificate Chain │
├────────────────────────────────────────┤
│ ├─ example.com (End Entity) │
│ │ └─ Issued by: Intermediate CA │
│ │ │
│ ✗ Missing: Intermediate CA certificate │
│ │
│ └─ Root CA (Cannot verify) │
└────────────────────────────────────────┘
Status: ✗ Incomplete - won't work
Solution: Install complete chain on server
Best Practices
1. Verify Before Use
Always check certificate:
□ Correct domain name
□ Valid dates
□ Trusted issuer
□ Complete chain (if bundle)
□ Strong algorithm (SHA-256+)
□ Adequate key size (RSA 2048+)
2. Keep Certificates Organized
File naming:
✓ example.com_2024.crt
✓ wildcard_example_com.pem
✓ server01_prod_cert.crt
Bad naming:
✗ cert.crt
✗ certificate.pem
✗ file1.cer
3. Document Certificate Details
For each certificate file:
- Domain(s) covered
- Purchase/issue date
- Expiration date
- File location
- Server location
- Renewal process
- Responsible person
4. Backup Certificates
What to backup:
✓ Certificate (.crt, .pem)
✓ Private key (encrypted!)
✓ Intermediate certificates
✓ Root certificate
✓ Documentation
Where:
✓ Encrypted cloud storage
✓ Password manager
✓ Secure offline storage
5. Regular Audits
Monthly review:
□ Check all certificates
□ Note expiration dates
□ Update inventory
□ Plan renewals
□ Remove old/unused certs
Troubleshooting
Cannot Read File
Error: "Unable to parse certificate"
Causes:
- Wrong file format
- Corrupted file
- Not a certificate file
- Encrypted (PKCS#12 without password)
Solutions:
1. Verify file is certificate
2. Check file extension
3. Try different format
4. Check file size (not empty)
5. Verify file not corrupted
6. For .pfx/.p12: Enter password
Wrong Information Displayed
Issue: Certificate shows unexpected data
Causes:
- Wrong file selected
- File contains multiple certificates
- Reading wrong certificate from bundle
Solutions:
1. Verify correct file
2. Check file contains expected cert
3. For bundles: Check each certificate
4. Compare with known-good cert
"Expired" but Certificate is New
Issue: Reader shows expired even though cert is new
Causes:
- System clock wrong
- Timezone issue
- Certificate validity dates incorrect
Solutions:
1. Check system date/time
2. Verify timezone correct
3. Check certificate validity dates
4. Compare with online checker
Next Steps
- 🔒 SSL Certificate Checker - Check live website certificates
- 📝 Create CSR - Generate Certificate Signing Request
- 🔑 SSH Keys - Manage SSH keys
- 🔙 Keychain Overview - All Keychain features
Pro Tip: Keep a "certificates" folder with all your certificate files organized by domain and date. Use Certificate Reader to quickly verify any certificate before installation or when troubleshooting SSL issues!