How to Inspect an SSL/TLS Certificate Chain
Use the Certificate Chain Viewer to decode PEM certificates, read expiry dates and SANs, and diagnose common chain issues.
Tool Used
Certificate Chain Viewer
Get the certificate in PEM format
You need the certificate in PEM format — a block of text starting with -----BEGIN CERTIFICATE----- and ending with -----END CERTIFICATE-----. To get a server's certificate from the command line: openssl s_client -connect yourdomain.com:443 -showcerts 2>/dev/null | openssl x509 -text. Copy the PEM block from the output. Alternatively, click the padlock icon in your browser, view the certificate, and export it as PEM.
Paste the certificate into the viewer
Open the Certificate Chain Viewer tool. Paste one or more PEM certificate blocks into the input field. For a full chain, paste the server certificate first, followed by intermediate certificates, each as a separate PEM block. The viewer processes each certificate in order from leaf to root.
Read the certificate details
The viewer displays for each certificate: the Subject (who the certificate was issued to), the Issuer (which CA signed it), the validity period (Valid From and Valid To), the Subject Alternative Names (all domains covered), the serial number, the signature algorithm, and the public key type and size. Check that the Subject matches the domain you expect and that the Valid To date is in the future.
Verify the chain of trust
For a valid chain, the Issuer of the server certificate should match the Subject of the intermediate certificate, and the Issuer of the intermediate should match the Subject of the root CA. The viewer highlights any gaps in the chain. A missing intermediate is the most common certificate configuration error — check that your server is configured to serve the full chain including all intermediate certificates.
Check Subject Alternative Names for domain coverage
The Subject Alternative Names (SANs) extension lists all domains the certificate covers. Verify that your domain appears in the SANs list. Wildcards like *.example.com cover one subdomain level (api.example.com) but not deeper levels (v1.api.example.com). If your domain is not in the SANs, users will see a certificate mismatch error in their browser.
All done!
You are ready to use Certificate Chain Viewer like a pro.