Cert Toolkit
Local PEM lifecycle in one tab — generate RSA / ECDSA keys, build CSRs, self-sign certs, sign CSRs with your own CA, inspect any PEM. Pure local, no network. Pro and above.
Mint, sign, and inspect X.509 material without leaving the app or trusting a web tool with your private keys. Available on Pro and above.
Generate a private key
Pick the type and size:
- RSA — 2048 / 3072 / 4096 bit
- ECDSA — P-256 / P-384 / P-521
The output is a standard PEM PRIVATE KEY block. Optional passphrase encrypts the PEM with aes-256-cbc.
Build a CSR
Fill in the subject (CN, O, OU, L, ST, C), add SAN entries (DNS, IP, email, URI), pick the signing key, and ShellYard emits a PEM CERTIFICATE REQUEST block ready to hand to a CA.
Self-sign a certificate
Generate (or load) a key, build (or load) a CSR, set the validity window (not_before / not_after), pick the key-usage and extended-key-usage extensions you want, and ShellYard issues a self-signed PEM CERTIFICATE. Useful for local TLS, internal services, lab work.
Sign a CSR with your CA
Load a CSR you received, point at your CA’s certificate and private key (also PEM), set validity and extensions, click Sign. Output is a PEM cert signed by your CA — same workflow you’d otherwise do with openssl x509 -req -CA ... -CAkey ..., but inside the app.
Inspect any PEM
Paste any PEM block — certificate, CSR, public key, private key — and Cert Toolkit decodes it:
- Certificate — Subject, Issuer, Serial, SANs, validity window with “expires in X days,” signature algorithm, key info, fingerprint (SHA-1, SHA-256), key usage, extended key usage.
- CSR — Subject, requested SANs, requested extensions, signature algorithm, key info.
- Key — algorithm, size, fingerprint, whether the PEM is encrypted.
Pure local
Every operation is local. The private key never leaves the machine — there’s no network call, no third-party service, no upload. This is the whole point: stop pasting private keys into web-based “certificate decoders.”