Skip to main content

SSL Certificate Decoder

Decode a PEM-encoded SSL/TLS (X.509) certificate — read its subject, issuer, validity window, serial number, signature and public-key algorithms, extensions (Subject Alternative Names, key usage, basic constraints) and SHA-256/SHA-1 fingerprints. Parsed entirely in your browser; the certificate is never uploaded.

Input

Paste a single PEM-encoded X.509 certificate. Decoded locally — it is never uploaded.

The instant to check the validity window against. Leave blank to use the current time.

Output

Warnings

Result
SeverityMessage
No data yet

Subject

Result
FieldValue
No data yet

Issuer

Result
FieldValue
No data yet

Validity

Result
FieldValue
No data yet

Certificate Details

Result
PropertyValue
No data yet

Extensions

Result
ExtensionValue
No data yet

Fingerprints

Result
AlgorithmFingerprint
No data yet
Was this helpful?

Guides

An SSL/TLS certificate is a signed X.509 document whose readable fields — who it was issued to, who issued it, when it expires, what it's valid for — are packed into a binary ASN.1/DER structure, Base64-encoded and framed with -----BEGIN CERTIFICATE----- / -----END CERTIFICATE----- markers (the PEM format). This tool decodes that structure directly in your browser and lays out what a developer, sysadmin or security reviewer usually needs: subject and issuer distinguished names, the validity window, serial number, signature and public-key algorithms, X.509 extensions (Subject Alternative Names, key usage, basic constraints, key identifiers), and SHA-256/SHA-1 fingerprints.

How to use it

  1. Paste a PEM-encoded certificate — the full block including the BEGIN/END markers — into the input box.
  2. The decoded fields appear immediately: Subject, Issuer, Validity, Certificate Details, Extensions and Fingerprints, each as its own table.
  3. A Warnings section flags anything worth a second look: an expired or soon-to-expire certificate, a self-signed certificate (subject equals issuer), a weak RSA key (under 2048 bits), or a certificate signed with SHA-1 or MD5 — both considered cryptographically insecure for new certificates.
  4. Optionally set a "Reference Time" to check the certificate's validity against a specific instant instead of right now — useful for confirming whether a certificate was valid on a past date, or will still be valid on a future one.

Only a single certificate is decoded at a time; if you're inspecting a full chain, split it into individual -----BEGIN CERTIFICATE----- blocks and decode each one separately.

What gets decoded

  • Subject / Issuer — the distinguished name (DN) fields: Common Name, Organization, Organizational Unit, Country, State/Province, Locality, and email address, where present.
  • Validity — the Not Before / Not After dates and a plain-language status (valid, expiring soon, expired, or not yet valid).
  • Certificate Details — X.509 version, serial number, signature algorithm, public key algorithm (RSA/ECDSA/Ed25519/Ed448) and key size, and whether the certificate is self-signed.
  • Extensions — Subject Alternative Names (the DNS names, IP addresses, emails and URIs the certificate covers), Key Usage, Extended Key Usage, Basic Constraints (CA vs. leaf), and other extensions by name.
  • Fingerprints — SHA-256 and SHA-1 hashes of the whole DER-encoded certificate, for confirming you have the certificate you think you have.

Privacy

Everything runs client-side: the certificate is parsed entirely in your browser and never uploaded to a server. Certificates are typically public artifacts by design — presented in the clear to any client that connects over TLS — so decoding one here reveals nothing that wasn't already visible during a normal TLS handshake.

Does this verify the certificate is trusted or the signature is valid?

No. This is a decoder, not a validator — it reads and displays the fields encoded in the certificate but does not check the signature against the issuer's public key, verify the chain of trust up to a root CA, or check revocation status (CRL/OCSP). Use it to inspect a certificate's contents, not to establish trust.

ssltlscertificatex509pemdecoderfingerprintsansecurity

Love the tools? Lose the ads.

One payment clears every ad from your account, for good. No subscription, no tracking.