Certificate Tools — Inspect, Convert, Verify
A complete certificate operations toolkit beyond expiry checking and CSR generation. Inspect any cert file, extract public keys, compare fingerprints between two certs, fetch certs from remote hosts, convert between PEM/DER/PFX formats, extract or bundle PFX archives, verify chains, manage a local CA. Everything offline — private keys never leave your machine.
View certificate info
Drop a .crt / .pem / .cer / .der file and see every field: subject, issuer, SANs, validity, signature algorithm, key type and size, serial number, full extensions. Useful for "what's actually in this cert file?" questions. Pairs with the network-fetch inspector for live-host inspection.
Where in the app: Tools → Certificates → Inspect → View certificate info
Extract public key from cert
Pull the public key out of a certificate as a standalone .pem file. Useful when you need only the public key for cryptographic operations (JWT verification, file encryption to a recipient) without the full cert wrapper.
Where in the app: Tools → Certificates → Inspect → Extract public key
Compare certificate fingerprints
Compare two certificates' SHA-1 / SHA-256 fingerprints. Useful for "is this the same cert I expect?" — pin-validation, mobile-app certificate pinning verification, or detecting if a CA reissued with a new fingerprint.
Where in the app: Tools → Certificates → Inspect → Compare fingerprints
Fetch certificate from remote host
Connect to any host:port over TLS, grab the certificate chain, save as .pem files locally. Useful for adding remote certs to a trust store, archiving an old cert before renewal, or feeding into the other inspect tools for offline analysis.
Where in the app: Tools → Certificates → Inspect → Fetch remote certificate
Convert certificate format
Convert between PEM, DER, .cer, .crt formats. Same certificate, different encoding. PEM is base64 text (most common on Unix), DER is binary (used in Java keystores, Windows .cer), .crt/.cer are extensions used inconsistently. The tool detects the input format and converts to whatever you ask.
Where in the app: Tools → Certificates → Convert → Convert format
Extract PFX / P12 to PEM
Extract certificate(s) and private key from a PFX/P12 archive into separate PEM files. PFX is the Windows / IIS / Azure format that bundles cert+key+chain in one password-protected file; PEM is the Unix-friendly split format. Useful when migrating from Windows to Linux/Mac.
Where in the app: Tools → Certificates → Convert → PFX/P12 → PEM
Bundle PEM + key into PFX
The reverse: combine a PEM cert (optionally with intermediate chain) and a private key into a PFX file, password-protected. Useful when deploying a Linux-generated cert to IIS, Azure App Service, or any platform that wants a PFX upload.
Where in the app: Tools → Certificates → Convert → PEM + key → PFX
Verify certificate chain
Given a certificate (and optional intermediate certs), verify that it chains to a trusted root CA in your system trust store. Reports any missing intermediates, expired certs in the chain, or chain breaks. Useful for diagnosing "untrusted cert" errors before deploying.
Where in the app: Tools → Certificates → Verify chain
Local CA for dev / internal use
Run a local Certificate Authority for development or internal use. Issue certs for any hostname / IP, sign them with your own CA cert, install the CA cert in your system trust store so browsers/apps trust the issued certs. Same idea as mkcert — bundled into one app.
Where in the app: Tools → Certificates → Local CA
Questions and answers
What's the difference between certificates and CSRs?
A CSR (Certificate Signing Request) is what you send to a CA — it contains your public key + identity info, signed by your private key. A certificate is what the CA sends back — it contains the same info plus the CA's signature, making it trustworthy. CSR is the "application form"; certificate is the "issued document".
PEM vs DER vs CRT vs PFX — quick mental model?
PEM: base64-encoded text, starts with -----BEGIN CERTIFICATE-----. DER: binary, same content. CRT / CER: extensions; could be either PEM or DER. PFX / P12: archive bundling cert + private key + chain, password-protected.
When do I need the Local CA?
When developing HTTPS locally and want browsers to trust your certs without warnings (alternative: install each self-signed cert individually — tedious if you have many). Install the CA cert once; everything it issues is trusted automatically.
How does this differ from openssl on the command line?
Same operations, GUI. openssl is more powerful (and harder); these tools cover the 90% case with friendly UI.
Related tools
Get MiniMax Converter
Cross-platform desktop app. Linux free for non-commercial use; Windows & macOS one-time €20 license. No subscription, no telemetry, no account.