PKILab

Explore code-signing certificates hands-on. Inspect real signatures, build your own Certificate Authority, and sign files — all in one place.

🔍

Certificate Inspector

Upload a signed Windows PE file or paste a PEM/DER/P7B certificate. We'll extract the full chain and break down every field in plain English.

Windows EXE / DLL PEM / DER / P7B

Inspect a certificate

🏛️

Mock CA Lab

Build your own Certificate Authority from scratch. Create root & intermediate CAs, issue leaf certificates, sign PE files, and explore revocation — just like a real CA.

Root & Intermediate CAs Code Signing Certs PE File Signing CRL Generation

Open CA Lab

Quick Concepts

Chain of Trust

The sequence root CA → intermediate CA(s) → leaf cert. Each link is verified by the one above it.

Root CA Certificate

The top of the trust chain — a self-signed certificate that vouches for itself. Trust comes from being pre-installed in the OS.

Intermediate CA Certificate

A CA that sits between the root and leaf certs. The root signs the intermediate; the intermediate signs leaf certs.

Leaf / End-Entity Certificate

The final cert in the chain — the one actually used for signing, TLS, email, etc. Cannot issue further certificates.

Authenticode

Microsoft's format for digitally signing Windows executables and scripts.

Certificate Revocation List (CRL)

A signed list published by a CA of certificate serial numbers that have been revoked before their expiry.