← Back to Labs

Certificate Chain Visualization

Trace a representative Let's Encrypt-style chain from leaf certificate through the intermediate to the ISRG root, then layer revocation, CT, and pinning on top.

LeafDNS: debtman.devCA:FALSE · serverAuthLet's Encrypt R11CA:TRUE · keyCertSignpathlen:0ISRG Root X1trust anchorstored locallysigCheck SAN, EKU, validity window, and that this is a leaf, not a CA.Build chain, verify signatures, enforce X.509 policy, check status, accept keystapled OCSP statusSCT / CT log proofSPKI pin match
Step 1 / 6The server presents a leaf certificate for the hostname

The website sends a certificate saying which hostname its public key is supposed to belong to.

Arrow keys to navigate · R to reset

Tap dots to jump to any step

Read the full article →Take the quiz →