CLM Sidekick

Investigation

Describe the connection

Target FQDN or URL Port

Start with just a target

Several tools work without uploading a certificate.

Client profile Expected certificate material

Upload certificates .pem, .crt, .cer, or .txt

Uploaded public key to check

Field capture commands

Outcome

Readable diagnosis

Waiting

Add a certificate chain and run the analyzer. The console will explain who signed whom, what the client is likely to trust, and where the connection can fail.

certificates

issues

chain depth

The trust graph will appear here.

Server platform

Client validator Newer root is present in the IIS/server certificate store Older root is present in the IIS/server certificate store Client trusts newer root Client trusts older root Older root is expired/distrusted for this client

Run a scenario

Root store profile Paste root store PEM bundle

Upload root store .pem, .crt, .cer, .txt, or bundle exports

Waiting

Deployment planning workflow

Capture the live server chain with SNI.
Upload the target client root store.
Confirm the terminating root fingerprint, not just the root name.
Simulate planned root additions/removals before touching production.
Retest strict clients that do not fetch missing intermediates.

Certificate Transparency

CT Monitor Builder

No cert needed

Watch scope Ingestion strategy Alert posture

Quick CT search

Search public CT issuance with Cert Spotter's indexed CT Search API, then review the same findings against your approved issuer and watch-scope rules.

Approved issuers or CAs Expected renewal window

Optional CT evidence or watchlist

Build a Certificate Transparency watch plan, source map, risk review, and Cloudflare ingestion blueprint.

Live DNS

Resolver Diff

No cert needed

Record type

Compare Cloudflare standard, malware-filtered, and family-filtered DNS answers.

Addressing

IPv4 Subnet Planner

No cert needed

CIDR Needed hosts

Plan usable ranges, masks, wildcard masks, and right-sized prefixes.

Firewall

Path Test Builder

No cert needed

Source Ports

Generate Windows, Linux, and curl commands for firewall evidence capture.

Performance

MTU / MSS Planner

No cert needed

Base MTU Overlay overhead IP version

Calculate safe tunnel MTU, TCP MSS, and ping payload tests.

TLS Evidence

Handshake Command Center

No cert needed

Uses the shared target for host, SNI, and port.

Generate OpenSSL, curl, PowerShell, and chain extraction commands.

SSL/TLS Configuration

TLS Configuration Studio

No cert needed

Policy profile Server target Compatibility goal

Server version Crypto runtime Certificate path

Enable HTTPS redirect and HSTS Enable OCSP stapling where supported Apply NIST-style strict review Include PQC readiness guidance

Optional scan output

Generate a source-backed SSL/TLS configuration, cipher policy, validation plan, and drift findings.

Enrollment

CSR Validation Playground

CSR required

CSR PEM

Paste a CSR to validate SAN coverage, enrollment fields, and likely CA rejection causes.

ACME

EAB Registration Planner

No cert needed

ACME directory URL EAB key identifier EAB HMAC key Domains

Build a safe ACME/EAB enrollment checklist and command template.

Status

Revocation Evidence Builder

Target only

Uses the shared target and uploaded chain to generate OCSP, CRL, AIA, and Windows CAPI2 evidence commands.

Generate commands for OCSP/CRL/AIA and Windows event-log evidence.

Troubleshooting

Error Explainer

No cert needed

Error text or log snippet

Paste a cryptic error and get the most likely cause, next command, and remediation owner.

User Guide

Learn, test, and explain trust decisions

CLM Sidekick is built for the admin who has ten minutes, one hostname, and a mystery failure. Start with the shared target, run the tools that need no certificate, then add evidence only when the question becomes about a specific chain, root store, CSR, or public key.

Quick path

Enter the target once.
Run no-cert checks.
Simulate the server and client.
Upload evidence when chain logic matters.

No certificate needed

Start here when you only know the FQDN

These tools build useful evidence from the shared target, DNS, ports, expected clients, and known platform behavior. They are safe first moves during an outage because they do not require exporting private data or finding the certificate owner.

Resolver Diff compares public DNS answers across Cloudflare resolver profiles.
Path Simulator models IIS, Nginx, Apache, browser, Android, OpenSSL, and strict API behavior.
Path Test Builder, MTU/MSS Planner, and TLS Command Center generate copy-ready commands.
TLS Configuration Studio converts modern/intermediate policy into server-specific config, cipher posture, and drift checks.
CT Monitor Builder creates a Certificate Transparency watch plan and Cloudflare ingestion blueprint.
EAB Planner, Revocation Builder, and Error Explainer turn enrollment and status issues into checklists.

Evidence required

Use uploads when the exact trust path matters

Certificate and root-store uploads let the app compare fingerprints, issuer links, validity, SAN coverage, and public-key continuity. This is where cross-certificates, missing intermediates, same-name roots, and client trust-store differences become visible.

Trust Map requires the presented certificate chain.
Root Store Lab requires a mapped chain plus a root bundle from the target client platform.
CSR Validation requires a CSR before enrollment.
Public Key Match requires a public key and certificate chain.

Learning mode

What the app is teaching while it troubleshoots

Every result is meant to explain the logic, not just the verdict. Simple mode gives a plain-language story for operators and help desk handoffs. Technical mode shows the chain-building reasoning an engineer needs for change records and remediation.

A chain is trusted because a client can build from leaf to a trusted root fingerprint.
Server type changes what chain is presented. IIS can build from Windows stores; Nginx and Apache usually follow configured chain files.
Client type changes validation. Browsers may recover missing intermediates; strict API clients often will not.
Root names are not enough. Fingerprints and keys decide whether two roots are truly the same trust anchor.

Technical overview

How the current beta works

This beta runs as a static browser app on Cloudflare Pages. Certificate parsing, root-store comparison, CSR review, command generation, and simulations happen locally in the browser. Live DNS checks use DNS-over-HTTPS endpoints, while live TLS certificate capture still requires OpenSSL or another field command because browsers do not expose arbitrary remote certificate chains to JavaScript.

Simple and Technical modes change diagnostic wording without changing the evidence.
The Owner Console keeps billable Cloudflare features disabled by default for beta safety.
Future Workers, R2, Workflows, and Workers AI features should stay behind owner-controlled switches.
The safest troubleshooting pattern is target first, no-cert tools second, uploaded evidence third.

Tool Requirements

Pick the right tool with the evidence you already have

Target only

Resolver Diff, Path Simulator, Firewall Path Tests, MTU/MSS Planner, TLS Command Center, TLS Configuration Studio, CT Monitor Builder, EAB Planner, Revocation Evidence Builder, Error Explainer.

CT evidence

CT Monitor Builder can parse pasted CT JSON, CertStream-style messages, certificate subjects/SANs, issuer names, or domain watchlists to flag suspicious issuance.

Scanner output

TLS Configuration Studio can optionally parse nmap, testssl.sh, SSL Labs, OpenSSL, or server config text to flag weak protocols, cipher drift, and runtime readiness issues.

Certificate chain

Trust Map, client profile matrix, hostname/SAN checks, expiration checks, public-key match, and root-store path testing.

Root store bundle

Microsoft, Mozilla, Apple, Android, or custom enterprise root-store testing by SPKI fingerprint.

CSR

Enrollment readiness checks for subject, SANs, key algorithm, requested usages, and likely CA rejection causes.

Learning Items

Core ideas this tool helps users understand

Chain of trust

A server certificate does not stand alone. The client must connect it through one or more intermediates to a root it already trusts.

Cross-certificate traps

Two possible paths can exist at the same time. Older clients or server stores may choose a legacy path unless the unwanted path is pruned or the served chain is explicit.

Root-store reality

Microsoft, Mozilla, Apple, Android, Java, and appliance stores can disagree. Planning by platform prevents surprises after rollout.

Network versus PKI

DNS, firewall, proxy, MTU, OCSP, CRL, and AIA failures can look like certificate failures. The no-cert tools help separate transport symptoms from trust symptoms.

Cipher policy drift

A certificate can be valid while the handshake still fails because the client and server share no allowed cipher. Cipher testing proves protocol compatibility separately from trust.

Certificate Transparency

CT logs reveal publicly trusted certificate issuance. Monitoring them helps detect rogue, mistaken, shadow IT, or forgotten certificates before users report trust failures.

CLM Sidekick

Describe the connection

Field capture commands

Readable diagnosis

Deployment planning workflow

CT Monitor Builder

Resolver Diff

IPv4 Subnet Planner

Path Test Builder

MTU / MSS Planner

Handshake Command Center

TLS Configuration Studio

CSR Validation Playground

EAB Registration Planner

Revocation Evidence Builder

Error Explainer

Learn, test, and explain trust decisions

Start here when you only know the FQDN

Use uploads when the exact trust path matters

What the app is teaching while it troubleshoots

How the current beta works

Pick the right tool with the evidence you already have

Core ideas this tool helps users understand

Chain of trust

Cross-certificate traps

Root-store reality

Network versus PKI

Cipher policy drift

Certificate Transparency

Beta control center

Usage monitor

Billable feature switches

User management

Beta launch posture