CA Matcher

Verify that a CA certificate signed an end-entity certificate. Parsed locally in your browser.

End-entity certificate (PEM)
CA / issuer certificate (PEM)

About the CA Matcher

CA Matcher checks whether an end-entity certificate was signed by a CA certificate you provide. Paste the leaf cert and the issuer (intermediate or root) CA cert in PEM form. The tool verifies the signature chain with node-forge and compares the certificate issuer distinguished name to the CA subject.

This is useful when assembling a chain file for nginx or HAProxy: confirm the intermediate you downloaded actually signed your server certificate before you bundle them. It is also handy when debugging a custom CA or internal PKI where you have the CA cert but want a quick sanity check without openssl on the command line.

Both certificates are parsed in your browser only. Nothing is uploaded or stored. For live chains served by a public hostname, use the SSL Checker instead.

Browser-side verification covers the direct issuer relationship. Full path building to a public root with OCSP or CRL checks is out of scope; use openssl verify or your platform trust store for production sign-off.

Your ad could be here

Reach developers and designers who use these tools every day. Privacy-first, no trackers.

Frequently asked questions

What is the difference between CA Matcher and SSL Checker?

CA Matcher verifies two PEM certificates you paste locally. SSL Checker connects to a live host and reads the certificates the server presents. Use CA Matcher for files; use SSL Checker for endpoints.

Do I paste the root CA or the intermediate?

Paste the certificate that directly signed your leaf cert. That is usually the intermediate CA. If your leaf was signed by a root, paste the root. The issuer field on the leaf must match the subject on the CA you provide.

Why does verification fail when names look similar?

Distinguished names must match exactly, including spacing and attribute order. A mismatch in the issuer field means you may have the wrong intermediate file, even if the organization name looks right.

Is my data uploaded?

No. Both certificates are processed locally in your browser.

Does this replace openssl verify?

No. It is a quick browser check for the direct signing relationship. Production validation should still use openssl verify or your deployment tooling with the full chain and trust store.

SSL & Certificates

SSL Checker

Inspect a host's TLS certificate chain, expiry, trust, protocol, and hostname match.

SSL & Certificates

SSL & CSR Decoder

Paste a PEM certificate or CSR and read subject, issuer, validity, SANs, and fingerprints locally.

SSL & Certificates

Key Matcher

Check whether a PEM private key matches a certificate. The key never leaves your browser.

SSL & Certificates

CSR Generator

Generate an RSA private key and certificate signing request (CSR) locally in your browser.

SSL & Certificates

RSA Key Converter

Convert RSA private and public keys between PKCS#1, PKCS#8, SPKI, and DER base64 locally.

SSL & Certificates

Bulk SSL Checker

Check TLS certificates for up to 20 hostnames at once and compare expiry and trust.