Leaf certificate
The end-entity certificate — the one installed on your server.
Paste your leaf certificate plus its intermediate (and root) certificates. This tool orders them into a chain, cryptographically verifies each signature against the next certificate up, and confirms the chain terminates in a self-signed root.
Runs entirely in your browser — nothing you paste or upload is sent anywhereThe end-entity certificate — the one installed on your server.
Paste one or more PEM certificates, one after another — order doesn't matter.
Matching a certificate's issuer name to another certificate's subject name only tells you the names line up — anyone can create a certificate with a matching name. This tool goes further and cryptographically verifies that each certificate's signature was actually produced by the next certificate's public key.
This tool confirms the chain is structurally and cryptographically sound. It does not check revocation status (CRL/OCSP) or whether the root certificate is actually trusted by any particular browser or operating system — that trust decision happens outside this page.
If a certificate in your chain looks wrong, use the Certificate Decoder to inspect it on its own — subject, issuer, validity, and extensions — before troubleshooting the whole chain.