PEM Inspector

Paste one or more PEM blocks to see exactly what they are — certificates, keys, or CSRs — with key type, size, curve, and certificate chain-order analysis. Nothing is uploaded.

PEM Input

Results

Paste PEM text and click Inspect PEM to see the breakdown.

About PEM Inspector

The PEM Inspector decodes PEM-encoded cryptographic objects and tells you exactly what they are — without ever uploading your files. PEM (Privacy-Enhanced Mail) is the familiar Base64 text format wrapped in -----BEGIN ...----- / -----END ...----- markers used for TLS certificates, public and private keys, and certificate signing requests.

Paste one block or a whole bundle and the tool splits it into individual blocks, identifies each by its label, and parses the underlying ASN.1/DER structure to surface the important details: the key algorithm (RSA, EC, Ed25519, Ed448, DSA), key size for RSA, and the named curve for elliptic-curve keys. For certificates it shows subject, issuer, validity dates, serial number, and signature algorithm. For a bundle of certificates it analyzes the chain order, flags certificates that are out of order or expired, and tells you whether the chain ends in a self-signed root.

It recognizes SPKI public keys, PKCS#1 RSA keys, PKCS#8 and SEC1 private keys, encrypted private keys, PKCS#10 CSRs, EC and DH parameters, and X.509 CRLs. Everything is parsed locally in your browser with no dependencies and no network calls, so it is safe to inspect production keys and certificates.

How to Use PEM Inspector

  1. Paste one or more PEM blocks into the input box, or click Load Sample to try it with a real certificate.
  2. Click Inspect PEM. Each block is decoded into its own card with a colored type badge.
  3. Review the key algorithm, size or curve, and — for certificates — the subject, issuer, and validity.
  4. For a bundle of certificates, read the Certificate Chain summary at the top to confirm the order is leaf → intermediate → root.
  5. Use Copy PEM on any card to copy that single, cleanly re-wrapped block.
Private keys are parsed only to read their type and size — the secret key material is never displayed, transmitted, or stored. Encrypted private keys can only be identified, not decoded, without the password.

What it detects

  • ✅ X.509 certificates
  • ✅ Public keys (SPKI & PKCS#1)
  • ✅ Private keys (PKCS#8, PKCS#1, SEC1)
  • ✅ CSRs (PKCS#10)
  • ✅ RSA size, EC curve, Ed25519
  • ✅ Certificate chain order

FAQ

Are my keys or certificates uploaded anywhere?

No. All decoding happens entirely in your browser using a built-in ASN.1/DER parser. Nothing is sent to a server, so it is safe to inspect private keys and production certificates.

What PEM types are supported?

Certificates, SPKI and PKCS#1 public keys, PKCS#8 / PKCS#1 / SEC1 private keys, encrypted private keys, PKCS#10 certificate signing requests, EC and DH parameters, and X.509 CRLs.

How does it check certificate chain order?

When you paste multiple certificates, it compares each certificate's issuer with the next certificate's subject. A correct chain runs leaf → intermediate → root, where every certificate is signed by the one after it. It also flags expired certificates and notes whether the chain ends in a self-signed root.

Can it show the private key contents?

No — and that is intentional. The tool reads only the metadata needed to identify the key (algorithm, size, curve). The actual secret values are never displayed or stored.

Why does my encrypted private key show no details?

An ENCRYPTED PRIVATE KEY block is protected by a password, so its contents cannot be parsed without first decrypting it. The tool can confirm the type but not the algorithm or size.

What if a block fails to parse?

The card shows a parse error for that block while still processing the others. This usually means the Base64 is truncated, the block is a format the tool doesn't decode, or the data isn't valid DER.