The Cert Graveyard's PKILab

Upload a signed Windows binary or paste a certificate — we extract the full chain, decode every field in plain English, and flag anomalies automatically.

Inspect a certificate

Supported Formats

Windows PE

EXE · DLL · SYS

Windows Installer

MSI

App Package

APPX · MSIX · bundles

macOS / iOS Binary

Mach-O · DYLIB

P7X Signature

standalone Authenticode sig

Certificate Bundle

P7B · P7C

DER Certificate

raw binary cert

PEM / CRT / CER

base64-encoded cert

Paste PEM text

no file needed

What We Check

Expiry & validity

Expired, not-yet-valid, suspicious lifetimes

Chain structure

Self-signed leaves, missing intermediates, path length

Key strength

Weak RSA/EC keys, deprecated algorithms

Extended Key Usage

EKU mismatches, TLS + code-signing combos

Signer identity

Domain CNs used in code-signing context

Revocation

CRL fetch and OCSP status check

Timestamp

Countersignature presence and validity

Issuer anomalies

Short-lived root CAs, unusual constraints

Quick Concepts

Chain of Trust

The sequence root CA → intermediate CA(s) → leaf cert. Each link is verified by the one above it.

Root CA Certificate

The top of the trust chain — a self-signed certificate that vouches for itself. Trust comes from being pre-installed in the OS.

Intermediate CA Certificate

A CA that sits between the root and leaf certs. The root signs the intermediate; the intermediate signs leaf certs.

Leaf / End-Entity Certificate

The final cert in the chain — the one actually used for signing, TLS, email, etc. Cannot issue further certificates.

Authenticode

Microsoft's format for digitally signing Windows executables and scripts.

Certificate Revocation List (CRL)

A signed list published by a CA of certificate serial numbers that have been revoked before their expiry.