Certificates and keys
Certificate and key files open with a rich Info sidecar that decodes the cryptographic
material: X.509 certificates, certificate signing requests (CSRs), certificate revocation lists
(CRLs), private keys (RSA / EC / Ed25519 / DSA / PKCS#8), public keys, OpenSSH public-key files
(.pub), and JSON Web Keys. The source view depends on the container: PEM shows its text, a JWK
shows the pretty-printed JSON, and raw DER is binary so it gets the Info sidecar and the
hex dump only.
A PEM file may contain many entries — a fullchain bundle, for example, holds one or more
certificates plus an intermediate. A JWK Set holds one key per keys member; a DER file is a
single entry. Every entry is decoded and rendered as its own block in the Info section.
Detection
- By extension —
.pem/.csr/.crl/.key/.p7b/.p7c/.pub(PEM),.der(DER),.jwk/.jwks(JWK). - By content — anything that starts with
-----BEGIN(any label, PEM), an OpenSSH algorithm prefix (ssh-rsa,ssh-ed25519,ecdsa-sha2-…, including the FIDO/U2Fsk-*variants), a binary DER certificate, or a JSON object whosektyis a known key type.
.crt and .cer are intentionally not routed by extension because they carry either
encoding. A PEM-encoded one is picked up by the -----BEGIN sniff; a DER-encoded one is
recognised when its bytes decode as an X.509 certificate. (DER carries no label, so peek tries
certificate, then CRL, CSR, and key in turn.) A JWK saved as .json keeps the generic JSON view —
the JWK content sniff only applies to .jwk / .jwks, stdin, and extension-less files.
What you see
Per entry, the Info section surfaces:
- X.509 certificate — subject, issuer, serial, NotBefore / NotAfter, days remaining (painted
as a warning when ≤ 30 days; expired certs show as
expired N days ago), public-key algorithm- bits, signature algorithm, Subject Alternative Names (DNS / IP / email / URI), CA flag, self-signed flag, key usage, extended key usage, SHA-1 and SHA-256 fingerprints.
- CSR (PKCS#10) — subject, requested SANs, public-key algorithm + bits, signature algorithm.
- CRL — issuer, This Update / Next Update, revoked entry count, signature algorithm.
- Private key — label, key type (RSA / EC + curve / Ed25519 / DSA / opaque), bit size when
derivable. Encrypted (
ENCRYPTED PRIVATE KEY) andOPENSSH PRIVATE KEYblocks show structural info only — no password prompt. - Public key — label, key type, bit size (parsed from the SPKI envelope).
- SSH public key — algorithm, bits, comment, SHA-256 fingerprint matching
ssh-keygen -l. - JSON Web Key — type (RSA / EC / oct / OKP) and curve, bit size, algorithm, use, key operations, key ID, and the RFC 7638 thumbprint.
Decode failures don't suppress the rest of the section. A malformed block surfaces as a per-entry
Parse error row so one bad PEM in a chain doesn't hide the others. Unrecognised PEM labels
show as Unknown entries with the original label and the decoded DER body size.
Source view
The default view is the PEM text — exactly what the file contains. Tab or i jumps to Info.
Hex (x) is still available; for cert files it's rarely what you want, but it's there.
Limitations
PKCS#12 / PFX containers and encrypted PKCS#8 (password prompt) are not yet decoded. They're tracked as follow-up work.