About CertLens

Why This Exists

PKI troubleshooting shouldn't be this painful.

Certificate management sounds routine — until you're staring at verify error:num=20:unable to get local issuer certificate at 2 AM before a SWIFT go-live. Or trying to explain to an auditor why three keystores in production have chains that don't validate. Or watching a Java application refuse all TLS connections after a trust store update nobody documented.

The tools that exist today are either:

  • Too low-levelopenssl x509 -text -noout gives you everything and explains nothing
  • Too basic — browser padlock checks don't help someone debugging a broken PKCS#12 bundle
  • Java-hostile — most tools don't understand JKS keystores, multi-alias chains, or PrivateKeyEntry vs TrustedCertEntry
  • Expensive and heavy — enterprise certificate managers are built for procurement teams, not debugging engineers
  • Opaque — they tell you the cert is invalid, not why the chain fails or what to do about it

CertLens was built to close that gap. The same debugging steps kept appearing across every project — the same chain reconstruction logic, the same error explanations, the same "here's what Error 20 actually means and here's the keytool command to fix it" guides written fresh every time. We wanted one tool that does all of it automatically, visually, and with plain-English explanations that make sense to both the engineer debugging at midnight and the manager asking for a risk summary in the morning.

CertLens is the tool we wished existed every time we had to debug PKI under pressure.

What CertLens Is

Think of CertLens as an X-ray for certificates with an AI troubleshooting assistant built in. It takes certificate files and TLS endpoints that normally require a dozen different commands to inspect, and turns them into clear visual results — chain diagrams, risk scores, identity breakdowns, and actionable fix commands — in seconds.

"CertLens simplifies PKI by turning complex certificate data into clear insights, risk analysis, and actionable fixes."

It handles formats that most tools ignore — JKS keystores with multiple aliases, PKCS#12 bundles containing private keys, multi-cert PEM chains — and it understands the difference between a keystore holding a server identity and a truststore holding CA certificates. That distinction matters enormously in SWIFT, API gateway, and Java application environments, and most tools treat both identically.

What You Can Do With It

🔗 Certificate Chain Analysis

CertLens reconstructs the full trust chain from any uploaded file — identifying the Leaf, Intermediates, and Root CA automatically. It detects missing intermediates, incorrect chain ordering, and self-signed certificates, and shows exactly where the chain breaks and why.

Detects: verify error:num=20 missing intermediate wrong chain order broken trust path
🔐 Keystore & Truststore Intelligence

Upload JKS or PKCS#12 files and inspect every alias inside. CertLens differentiates PrivateKeyEntry (server identity certificates) from TrustedCertEntry (CA trust anchors), shows expiry, crypto algorithm, and risk rating per alias — and understands multi-leaf keystores that hold several independent certificate chains.

Covers: JKS · PKCS#12 · PFX multi-alias keystores PrivateKeyEntry TrustedCertEntry WSO2 · Apigee · Java apps
🌐 Live TLS Endpoint Scanning

Enter any domain and CertLens performs a live TLS handshake, fetches the full server certificate chain, and analyses it — expiry, chain completeness, algorithm strength, and trust status — without any server access. Useful for debugging API failures, mTLS misconfigurations, and production TLS outages.

Detects: hostname mismatch expired certs chain gaps TLS version issues mTLS failures
⚠️ AI-Powered Risk Assessment

Every scan produces a 0–100 security score and a risk level. But CertLens goes further — it explains every finding in plain English: why it's a problem, what the impact is, and the exact terminal commands to fix it. Not just a red flag. A resolution path.

Checks: expiry risk weak SHA1 / 1024-bit missing SAN improper key usage self-signed risks
📄 Audit Reports & Identity Analysis

Export full PDF audit reports of any scan. CertLens also performs identity analysis — showing who owns the certificate, which domains it covers, what environment it belongs to, and whether it meets requirements for SWIFT CSP controls or compliance audits.

Output: PDF reports SWIFT CSP SAN coverage org identity compliance evidence

Who It's For

Java & Spring developers
Debugging JKS keystores, PKIX path errors, and trust store failures in Tomcat, JBoss, WebLogic, and Spring Boot applications.
🏦
Banking & SWIFT engineers
Managing client certificates, mTLS connections, and certificate chains for SWIFT Alliance Access, Alliance Gateway, and financial APIs.
🔧
DevOps & Platform teams
Monitoring certificate expiry across services, debugging Kubernetes TLS, and analysing API Gateway (WSO2, Apigee, Kong) certificate configurations.
🛡️
Security & audit teams
Generating audit-ready PDF reports of certificate configurations, risk findings, and compliance evidence for CSP, ISO 27001, and PCI-DSS reviews.

Real-World Use Cases

01
OpenSSL Error 20 — unable to get local issuer certificate
Upload the certificate bundle. CertLens detects the missing intermediate CA, identifies which CA needs to be added, and provides the exact command to repair the chain.
02
SWIFT mTLS handshake failure
Upload both the keystore (client certificate) and truststore (CA bundle). CertLens checks both sides, identifies mismatches between what the client presents and what the server trusts.
03
JKS keystore audit before go-live
Upload the application keystore. CertLens inventories every alias, flags certificates expiring within 90 days, identifies weak algorithms, and exports a full PDF audit report.
04
Production API TLS failure
Enter the API hostname. CertLens performs a live scan, detects chain gaps or expiry issues, and shows the exact fix — all without touching the server or reading a certificate file.

Why CertLens Is Different

Other approaches
  • Raw terminal output, no explanation
  • Doesn't understand JKS or multi-alias chains
  • Tells you what's wrong, not how to fix it
  • Built for certificate management, not debugging
  • Requires OpenSSL expertise to interpret results
CertLens
  • Visual chain diagram + plain-English explanations
  • Full JKS / PKCS#12 / multi-alias keystore support
  • WHY it fails + IMPACT + exact fix commands
  • Built specifically for PKI debugging workflows
  • Useful to engineers and managers alike

What's Coming

CertLens is actively developed. On the roadmap:

📅
Certificate expiry monitoring
Scheduled alerts before certificates expire — never miss a renewal again
📡
Continuous domain scanning
Monitor live TLS endpoints on a schedule and get notified when anything changes
🤖
AI chat-based debugging
Ask questions about your certificate in plain English and get step-by-step guidance
🔗
CI/CD pipeline integration
API-first access for automated certificate validation in deployment pipelines
🏢
Enterprise dashboard
Organisation-wide certificate visibility — inventory, risk overview, and expiry timeline

The Team

CertLens is built and maintained by Navsatech, a software company based in Pune, India. We build developer tooling for security and infrastructure engineers — software that makes hard things understandable.

ND
Navratna Dapakra
Co-founder · Navsatech
Backend systems and PKI engineering. Built the certificate chain reconstruction engine, keystore parser, TLS scanner, and risk scoring system that powers CertLens.
SD
Sarita Dapakra
Co-founder · Navsatech
Product and engineering. Responsible for making complex PKI analysis output understandable — the explanations, the UI, and the workflows that turn raw certificate data into actionable insight.

Get in Touch

Questions, bug reports, feature ideas — we read everything and respond to all of it.

✉️
Email
certlens@navsatech.dev
GitHub
github.com/navsatech/certlens
LinkedIn
Navsatech · CertLens
🔒 Privacy first — uploaded certificates and keystores are processed in-memory and never stored permanently. Your certificate data is never shared with third parties.
Copilot
CertLens Copilot
AI-powered PKI assistant
Hi! I'm CertLens Copilot — ask me anything about certificates, TLS errors, JKS keystores, SWIFT PKI, or trust chain issues.