y509: A terminal user interface (TUI) tool for viewing and analyzing X.509 certificate chains
Source: Dev.to
Introduction
Have you ever found yourself squinting at the terminal, trying to decipher the output of openssl s_client -connect … -showcerts?
It works, but scrolling through walls of text to find an issuer or an expiration date isn’t exactly a great developer experience.
“I wanted to check certificate chains more intuitively, interactively, and—most importantly—in style.”
With that in mind, I built y509, a TUI tool written in Go using Bubble Tea.
Links
- GitHub Repository:
What is y509?
y509 is a Terminal User Interface (TUI) tool designed for viewing and analyzing X.509 certificate chains.
The name is a playful nod to “X.509” (and perhaps because Y comes after X).
Key Features
- Intuitive TUI: Two‑pane interface showing the certificate hierarchy list alongside detailed information.
- Chain Validation: Comprehensive validation with detailed error reporting.
- Search & Filter: Search certificates by CN, organization, or DNS names; filter by status (expired/expiring).
- Export Functionality: Export specific certificates from the chain in PEM or DER format.
- Status Indicators: Color‑coded warnings for expired or soon‑to‑expire certificates.
Motivation
-
I wanted to build a TUI tool
After using tools like k9s, I realized how awesome TUIs can be. The ability to have a rich, interactive experience without leaving the terminal fascinated me, so I tried building one with modern libraries. -
Checking certificate chains is tedious
Usingopensslto view a certificate chain is a hassle, and even more modern tools likestep(smallstep) CLI produce only plain text output. A visual, interactive tool makes the process quicker and more enjoyable.
Installation
macOS (via Homebrew)
brew tap kanywst/y509 https://github.com/kanywst/y509
brew install y509Go Install
go install github.com/kanywst/y509@latestUsage
y509 supports reading from local files as well as reading directly from standard input (stdin).
The Killer Feature: Piping from OpenSSL
openssl s_client -connect example.com:443 -showcerts | y509Reading from a File
y509 path/to/certificate-chain.pemControls
The tool uses Vim‑like keybindings.
| Key | Action |
|---|---|
j / k | Navigate up and down the certificate list |
h / l | Switch between the list pane and the details pane |
: | Enter command mode |
q | Quit application |
Command Mode
Press : to enter command mode. This allows you to perform advanced actions such as validation, searching, and exporting.
Examples
- Search:
search google– finds certs with “google” in CN/SAN/Org. - Filter:
filter expiring– shows certs expiring within 30 days. - Export:
export pem output.pem– saves the selected certificate to a file. - Validate:
validate– runs chain validation logic.
Tech Stack
The project is built with Go and relies on the Charm libraries:
- Bubble Tea – a powerful TUI framework based on The Elm Architecture.
- Lip Gloss – a style definition library for TUIs.
These libraries have become the de‑facto standard for modern CLI tool development in the Go ecosystem.
Conclusion
Building a TUI turned a mundane verification task into something visually interesting. I hope this tool helps you the next time you need to debug a certificate chain!
Give it a try and let me know what you think in the comments. If you find the project useful, a star on GitHub is greatly appreciated.