SSL Certificate Decoder
Decode a PEM-encoded SSL/TLS (X.509) certificate — read its subject, issuer, validity window, serial number, signature and public-key algorithms, extensions (Subject Alternative Names, key usage, basic constraints) and SHA-256/SHA-1 fingerprints. Parsed entirely in your browser; the certificate is never uploaded.
Input
Paste a single PEM-encoded X.509 certificate. Decoded locally — it is never uploaded.
The instant to check the validity window against. Leave blank to use the current time.
Output
Warnings
| Severity | Message |
|---|---|
| No data yet | |
Subject
| Field | Value |
|---|---|
| No data yet | |
Issuer
| Field | Value |
|---|---|
| No data yet | |
Validity
| Field | Value |
|---|---|
| No data yet | |
Certificate Details
| Property | Value |
|---|---|
| No data yet | |
Extensions
| Extension | Value |
|---|---|
| No data yet | |
Fingerprints
| Algorithm | Fingerprint |
|---|---|
| No data yet | |
Guides
An SSL/TLS certificate is a signed X.509 document whose readable fields — who it was issued to, who issued it, when it expires, what it's valid for — are packed into a binary ASN.1/DER structure, Base64-encoded and framed with -----BEGIN CERTIFICATE----- / -----END CERTIFICATE----- markers (the PEM format). This tool decodes that structure directly in your browser and lays out what a developer, sysadmin or security reviewer usually needs: subject and issuer distinguished names, the validity window, serial number, signature and public-key algorithms, X.509 extensions (Subject Alternative Names, key usage, basic constraints, key identifiers), and SHA-256/SHA-1 fingerprints.
How to use it
- Paste a PEM-encoded certificate — the full block including the
BEGIN/ENDmarkers — into the input box. - The decoded fields appear immediately: Subject, Issuer, Validity, Certificate Details, Extensions and Fingerprints, each as its own table.
- A Warnings section flags anything worth a second look: an expired or soon-to-expire certificate, a self-signed certificate (subject equals issuer), a weak RSA key (under 2048 bits), or a certificate signed with SHA-1 or MD5 — both considered cryptographically insecure for new certificates.
- Optionally set a "Reference Time" to check the certificate's validity against a specific instant instead of right now — useful for confirming whether a certificate was valid on a past date, or will still be valid on a future one.
Only a single certificate is decoded at a time; if you're inspecting a full chain, split it into individual -----BEGIN CERTIFICATE----- blocks and decode each one separately.
What gets decoded
- Subject / Issuer — the distinguished name (DN) fields: Common Name, Organization, Organizational Unit, Country, State/Province, Locality, and email address, where present.
- Validity — the Not Before / Not After dates and a plain-language status (valid, expiring soon, expired, or not yet valid).
- Certificate Details — X.509 version, serial number, signature algorithm, public key algorithm (RSA/ECDSA/Ed25519/Ed448) and key size, and whether the certificate is self-signed.
- Extensions — Subject Alternative Names (the DNS names, IP addresses, emails and URIs the certificate covers), Key Usage, Extended Key Usage, Basic Constraints (CA vs. leaf), and other extensions by name.
- Fingerprints — SHA-256 and SHA-1 hashes of the whole DER-encoded certificate, for confirming you have the certificate you think you have.
Privacy
Everything runs client-side: the certificate is parsed entirely in your browser and never uploaded to a server. Certificates are typically public artifacts by design — presented in the clear to any client that connects over TLS — so decoding one here reveals nothing that wasn't already visible during a normal TLS handshake.
Does this verify the certificate is trusted or the signature is valid?
No. This is a decoder, not a validator — it reads and displays the fields encoded in the certificate but does not check the signature against the issuer's public key, verify the chain of trust up to a root CA, or check revocation status (CRL/OCSP). Use it to inspect a certificate's contents, not to establish trust.