PKI Toolkit
Certificate Chain Validator

Confirm your certificate resolves all the way up to a trusted root

Paste your leaf certificate plus its intermediate (and root) certificates. This tool orders them into a chain, cryptographically verifies each signature against the next certificate up, and confirms the chain terminates in a self-signed root.

Runs entirely in your browser — nothing you paste or upload is sent anywhere

Leaf certificate

The end-entity certificate — the one installed on your server.

Intermediate & root certificates

Paste one or more PEM certificates, one after another — order doesn't matter.

PEM only. If you have a DER file, convert it first with the Format Converter.
Ready to check
Paste a leaf certificate and its intermediate/root certificates, then press Validate chain.
What "verified" means here

Name match vs. cryptographic proof

Matching a certificate's issuer name to another certificate's subject name only tells you the names line up — anyone can create a certificate with a matching name. This tool goes further and cryptographically verifies that each certificate's signature was actually produced by the next certificate's public key.

What this doesn't check

Trust is still your call

This tool confirms the chain is structurally and cryptographically sound. It does not check revocation status (CRL/OCSP) or whether the root certificate is actually trusted by any particular browser or operating system — that trust decision happens outside this page.

Before this step

Decode certificates individually first

If a certificate in your chain looks wrong, use the Certificate Decoder to inspect it on its own — subject, issuer, validity, and extensions — before troubleshooting the whole chain.