PKI utility

PFX / PKCS#12 Inspector

Read the structure of a .pfx / .p12 archive: outer ContentInfo, SafeContents, bag types (cert / shrouded key / friendly name), and which encryption schemes are in use. Unencrypted certificate bags are decoded into their X.509 contents. Password-decryption of encrypted bags is not implemented in this client-side tool — that is a deliberate scope limit; we will not silently leak your private key.

Client-sideRFC 7292Structure-only

PFX / PKCS#12 input

Choose .pfx / .p12

For pasted input, base64 or hex of the .pfx blob.

Structure

Drop a .pfx / .p12 file, or paste base64 / hex.

Your .pfx file never leaves your browser. We do not decrypt private-key bags here on purpose — see the reference panel below.

PFX / PKCS#12 in one line

PKCS#12 (a.k.a. PFX) is a password-protected container of certs and keys. RFC 7292 defines the structure: an outer SEQUENCE with version, an AuthenticatedSafe (one or more SafeContents), and an optional MAC. SafeContents are typically encrypted with PBE (PBES1 with SHA-1+3DES historically; PBES2 with PBKDF2 + AES today). This tool reads the public structure and shows what is in there; we do not implement password-based decryption client-side.

Spec

RFC 7292 (PKCS#12), RFC 8018 (PKCS#5 v2.1, PBES2).

Roadmap

Modern PBES2+AES decryption is on the roadmap. PBE-SHA1-3DES (legacy) requires a 3DES implementation Web Crypto does not expose.

Engineering blog →

Companion tool

Inspect each cert once extracted.

X.509 viewer →