y509: A terminal user interface (TUI) tool for viewing and analyzing X.509 certificate chains

Introduction

Have you ever found yourself squinting at the terminal, trying to decipher the output of openssl s_client -connect ... -showcerts?

It works, but scrolling through walls of text to find an issuer or an expiration date isn't exactly a great developer experience.

"I wanted to check certificate chains more intuitively, interactively, and—most importantly—in style."

With that in mind, I built y509, a TUI tool written in Go using Bubble Tea.

Links

• GitHub Repository: kanywst/y509

---

What is y509?

y509 is a Terminal User Interface (TUI) tool designed for viewing and analyzing X.509 certificate chains.

As for the name "y509"—it was chosen somewhat arbitrarily, clearly influenced by "X.509" (and maybe because Y comes after X?).

Key Features:

• Performance First: Powered by a custom viewport rendering engine. Handles thousands of certificates smoothly with O(n) complexity.
• Popup UI: Intuitive modal-driven search and filtering. No more complex command-line flags for basic tasks.
• Chain Validation: Comprehensive validation with detailed error reporting. Automatically detects trust anchors.
• Search & Filter: Instant search across Subject, Issuer, and SANs (DNS names); filter by status (expired, expiring, valid, self-signed).
• Export Functionality: Easily export specific certificates from the chain in PEM or DER format.
• Themeable: Fully customizable colors via YAML. Ships with a beautiful "Catppuccin" inspired default.
• 🏁 Zebra Striping: Clean, alternating row colors for perfect readability in long lists.

Motivation

1. I wanted to build a TUI tool

After using tools like k9s, I realized how awesome TUIs can be. The ability to have a rich, interactive experience without ever leaving the terminal fascinated me. I wanted to try building one myself using modern libraries.

2. Checking certificate chains is tedious

Using the openssl command to view a certificate chain is a hassle. Even using slightly more modern tools like step (smallstep) CLI, while better, is often just text output. It lacks interactivity and frankly, it's boring.

Since checking certificate chains isn't inherently exciting work, I wanted to create a tool that allows me to check them quickly and visually, making the process a little more enjoyable.

Installation

macOS (via Homebrew)

If you are on macOS, you can install it easily via Homebrew:

brew tap kanywst/y509 https://github.com/kanywst/y509
brew install y509

Go Install

Alternatively, you can install it using Go:

go install github.com/kanywst/y509@latest

Usage

y509 supports reading from local files as well as reading directly from standard input (stdin).

The Killer Feature: Piping from OpenSSL

This is my favorite way to use it. You can grab a chain from a live website and analyze it instantly without creating temporary files:

openssl s_client -connect example.com:443 -showcerts | y509

Reading from a file

Of course, you can also read existing files:

y509 path/to/certificate-chain.pem

Controls

The tool uses Vim-like keybindings, so if you are used to Vim, you'll feel right at home.

Key	Action
k / ↑	Navigate up / Scroll list
j / ↓	Navigate down / Scroll list
h / ←	Switch to Certificate List
l / →	Switch to Details Pane
tab	Cycle through Details Tabs (Subject, Issuer, etc.)
/	Search popup
f	Filter popup (expired, expiring, valid, self-signed)
v	Validate selected certificate
e	Export selected certificate to file
?	Toggle Help view
q	Quit application

Popup UI

Instead of complex command-line flags or a traditional command mode, y509 uses intuitive modal popups for advanced actions.

• Search (/): Instantly find certificates by common name, organization, or DNS names.
• Filter (f): Narrow down the list to only show expired, expiring, valid, or self-signed certificates.
• Export (e): Save the currently selected certificate to a file. Just type the filename (e.g., cert.pem) and hit Enter.
• Validation (v): Trigger deep validation logic for the selected certificate within the context of the entire loaded pool.

---

Configuration

y509 is fully themeable via a YAML configuration file. By default, it looks for a config file at ~/.y509.yaml.

You can customize almost every aspect of the UI colors:

theme:
  text: "252"
  border: "240"
  border_focus: "62"
  status_bar: "62"
  status_bar_text: "230"
  highlight: "62"
  highlight_text: "230"
  highlight_dim: "238"
  list_row_alt: "235" # Zebra striping color
  status_valid: "40"
  status_warning: "220"
  status_expired: "196"
  title: "aqua"

Tech Stack

This project is built with Go and stands on the shoulders of giants:

• Bubble Tea: A powerful TUI framework based on The Elm Architecture.
• Lip Gloss: A style definition library for TUIs.

In the Go ecosystem, the Charm libraries (Bubble Tea, Lip Gloss, etc.) are becoming the de facto standard for modern CLI tool development. They provided an excellent developer experience.

---

Conclusion

Building a TUI turned a mundane verification task into something visually interesting. I hope this tool helps you the next time you need to debug a certificate chain!

Please give it a try and let me know what you think in the comments. If you find the project useful, I would really appreciate a star on GitHub!