CA/Browser Forum
Home » Resources » Tools

Tools

Reference to these tools is solely for the information and convenience of the public, and does not constitute the endorsement or recommendation of any company, product, or service by the CA/Browser Forum.

Online Tests of SSL/TLS Configurations (submit website to check)

CryptCheck – https://cryptcheck.fr / https://tls.imirhil.fr/

DigiCert – https://www.digicert.com/help/

Hardenize – https://www.hardenize.com/

Immuniweb – https://www.immuniweb.com/ssl/

Mozilla Observatory – https://observatory.mozilla.org

Scanigma – https://scanigma.com/

SSL Checker – https://www.sslchecker.com/sslchecker

SSL Labs – https://www.ssllabs.com/ssltest

SSLyze – https://github.com/nabla-c0d3/sslyze

TestSSL – https://testssl.sh/

Wormly – https://www.wormly.com/test_ssl

Actalis SSL Check – https://sslcheck.actalis.com/

Browser / Client Testing

BadSSL – https://badssl.com/ (numerous scenarios to use to test how your browser reacts)

How’s My SSL – https://www.howsmyssl.com/

SSL Labs – https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html

Check for Bad Private Keys

Hanno Boeck‘s Tool – https://github.com/badkeys/badkeys

ROCA Vulnerability – https://github.com/crocs-muni/roca

CVE-2008-0166 – https://github.com/CVE-2008-0166 provides a generator that runs on modern 64-bit Linux systems and provides complete sets of pregenerated keys for the most common RSA key sizes

Debian Weak Keys – https://github.com/HARICA-official/debian-weak-keys provides a generator, for a subset of the parameters listed above, that can take advantage of a computer cluster

Check Certificates and CSRs (Searches and Decoders)

Crt.sh - https://crt.sh/?sha256= [sha256 hash of certificate]

Censys.io – https://search.censys.io/certificates (billions of certificates)

GoDaddy Certificate and CSR Decoders – https://ssltools.godaddy.com/views/csrDecoder / https://ssltools.godaddy.com/views/certDecoder

Mozilla Certsplainer – https://tls-observatory.services.mozilla.com/static/certsplainer.html (Shows certificate information and shows path to root certificate (requires certificate PEM file))

Mozilla EV certificate checker – https://tls-observatory.services.mozilla.com/static/ev-checker.html (requires certificate PEM and EV OID)

Sectigo – https://secure.sectigo.com/utilities/decodeCSR.html

CA Information

Status of each CA’s three test websites

Crt.sh – https://crt.sh/test-websites

Status of CAs’ CCADB reporting compliance

Crt.sh – https://crt.sh/apple-disclosures

Crt.sh – https://crt.sh/chrome-disclosures

Crt.sh – https://crt.sh/mozilla-disclosures

CA Misissuance

Coming soon

Revocation Checking

Revocation Checker – https://certificate.revocationcheck.com/

Certificate Tools OCSP Checker – https://certificatetools.com/ocsp-checker

OCSP Watch – https://sslmate.com/labs/ocsp_watch/

CRL Watch – https://sslmate.com/labs/crl_watch/

Linting Software

pkilint - Opensource linting framework for documents that are encoded using ASN.1 (coverage includes PKIX, S/MIME BR, TLS BR, CRL and OCSP response, etc.) - https://github.com/digicert/pkilint

ZLint - Opensource X.509 certificate linter written in Go that checks for consistency with standards (e.g. RFC 5280) and other relevant PKI requirements (e.g. CA/Browser Forum Baseline Requirements) - https://github.com/zmap/zlint

pkimetal - Opensource PKI “meta linter” that integrates pkilint, Zlint, and several other linters behind a simple REST API, which supports pre-issuance and post-issuance linting of certificates, CRLs, and OCSP responses - https://github.com/pkimetal/pkimetal

Offline, Downloadable Tools

OpenSSL – https://www.openssl.org/

How to check OCSP using OpenSSL – https://unmitigatedrisk.com/?p=42

OWASP SSL advanced forensic tool (O-Saft) https://owasp.org/www-project-o-saft/

ASN.1 Viewers – https://www.itu.int/en/ITU-T/asn1/Pages/Tools.aspx

Mozilla SSL/TLS Configuration Generator for Servers (Apache, nginx, etc.) – https://ssl-config.mozilla.org/

SSL Labs: SSL and TLS Deployment Best Practices – https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices

OWASP TLS Cheat Sheet – https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html

Resources
Latest releases
Server Certificate Requirements
SC099: Improve Recording of Validation Methods - May 19, 2026

Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.14 - Ballot SMC016 - May 5, 2026

This ballot maintains consistency between the S/MIME Baseline Requirements and the TLS Baseline Requirements with changes introduced by Ballots SC096 and SC097. Specifically, this ballot: Creates a carve-out of the logging requirements for DNSSEC specifically, stating these are not in scope. For audit purposes, change management logging is able to confirm if the appropriate controls are in effect or not. Sunsets all remaining use of SHA-1 signatures in Certificates and CRLs. It is noted that most uses of SHA-1 signatures are already deprecated by SC097. With this ballot, all unexpired Subordinate CA Certificates issuing S/MIME containing the SHA-1 signature algorithm must be revoked. This proposal does not prohibit the use of SHA-1 to generate issuerKeyHash or issuerNameHash values as currently required by RFC 5019. Includes minor formatting corrections.

Network and Certificate System Security Requirements
Version 2.0.5 (Ballot NS-008) - Jul 9, 2025

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).