X.509 path building & validation · RFC 5280
Builds a real ECDSA P-256 certificate hierarchy in your browser and puts you in the validator's seat: assemble chains, run the RFC 5280 checklist, and watch valid signatures get rejected.
When your browser connects to a website, the site presents a certificate — a signed statement that a public key belongs to a name — plus a few more certificates vouching for the first one, leading back to a root your device already trusts. Checking that chain is two different jobs: finding a sequence of certificates that link up (path building — a search problem), and judging that sequence against a checklist of rules about authority, names, dates, and revocation (path validation — RFC 5280 §6). Only one small part of that checklist is cryptography. This lab hands you a real certificate hierarchy and makes you do both jobs by hand.
@peculiar/x509. Every signature verdict shown is a real WebCrypto
verification. The RFC 5280 §6 checks (basicConstraints, pathLen, keyUsage,
nameConstraints, EKU, validity, trust anchoring) and RFC 6125/9525 hostname matching
are implemented in inspectable TypeScript in this repo.
Generating the lab PKI (19 certificates, real ECDSA P-256 signatures)…