SSL Certificate Decoder for X.509 PEM Certificates
This SSL certificate decoder parses PEM-encoded X.509 certificates right in your browser and lays out everything inside them — subject and issuer details, validity dates, public key, fingerprints, and extensions. Paste a certificate or drop a file and read it in plain language instead of squinting at raw Base64.
It is built for anyone who works with TLS: developers debugging an SSL handshake, sysadmins checking when a certificate expires, and security engineers auditing key sizes, signature algorithms, and Subject Alternative Names. Paste a full chain and switch between each certificate with tabs.
How to Decode a Certificate
Add your certificate
Paste a PEM certificate — including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines — into the input. You can also click Upload File to load a .pem, .crt, or .cer file, or drag and drop the file onto the input.
Decode
Click Decode or press Ctrl+Enter (Cmd+Enter on Mac). Uploaded and dropped files decode automatically. No certificate handy? Click Sample to load the ISRG Root X1 certificate.
Read the results
Results are grouped into Identity, Validity, Public Key, Fingerprints, and Extensions, with badges for the certificate type and validity status. Click a section header to collapse or expand it, and use the copy buttons next to fingerprints and the serial number.
Walk the chain
Paste an end-entity, intermediate, and root certificate together and tabs appear at the top. Each tab is labelled with the certificate's Common Name so you can step through the whole chain.
Features
Full X.509 Parsing
Extracts every standard field — subject, issuer, serial number, version, signature algorithm, and validity period — from PEM-encoded certificates.
Subject & Issuer Details
Reads the full distinguished name — CN, O, OU, C, and more — for both the certificate holder and the issuing authority.
Validity & Expiration
Shows Not Before and Not After dates with total duration, plus a colour-coded badge for valid, expiring soon, expired, or not yet valid.
Public Key Info
Identifies RSA, EC, and Ed25519 keys, reporting key size in bits or the named curve along with the signature algorithm.
SHA-256 & SHA-1 Fingerprints
Computes both fingerprints with the Web Crypto API in colon-separated hex, each with a one-click copy button.
Extension Analysis
Decodes SAN, Key Usage, Extended Key Usage, Basic Constraints, key identifiers, CRL and OCSP URLs, and certificate policies.
Certificate Type Detection
Flags CA, self-signed, and wildcard certificates and reads DV, OV, or EV validation levels from the certificate policies.
Certificate Chain Support
Paste a whole chain and navigate every certificate through tabs labelled by Common Name.
Multiple Input Methods
Paste PEM text, upload a .pem/.crt/.cer file, or drag and drop. Raw Base64 without PEM headers is accepted too.
100% Client-Side
All decoding runs locally in your browser — no uploads, no tracking, and no server processing of your certificate.
Frequently Asked Questions
What does an SSL certificate decoder show?
It breaks a certificate down into its human-readable parts: the subject (who the certificate is for) and issuer (who signed it), the validity period and expiration status, the public key type and size, the SHA-256 and SHA-1 fingerprints, the serial number, and all the extensions such as Subject Alternative Names, Key Usage, and Basic Constraints.
How do I decode a PEM certificate?
Paste the certificate — keeping the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- markers — into the input and click Decode or press Ctrl+Enter. You can also upload a .pem, .crt, or .cer file or drag it onto the input, and a raw Base64 certificate without the PEM headers works as well.
Can I decode a certificate chain?
Yes. Paste several PEM certificates — the end-entity, intermediate, and root — into the input at once. Each one is parsed separately and tabs appear at the top so you can switch between them. Every tab is labelled with the certificate's Common Name for easy identification.
How do I read Subject Alternative Names (SAN)?
After decoding, open the Extensions section. Subject Alternative Names are listed there, including DNS names, IP addresses, email addresses, and URIs. SAN is what actually defines which hostnames a certificate covers, so this is the first place to check when troubleshooting a domain mismatch.
What do the certificate type badges mean?
CA means the Basic Constraints CA flag is TRUE, so the certificate can sign others. Self-Signed means the subject and issuer are identical. Wildcard means the Common Name or a SAN entry starts with *. and covers all subdomains. DV, OV, and EV are the Domain, Organization, and Extended Validation levels, read from the certificate policies.
What file types can I upload?
Files with .pem, .crt, .cer, .cert, or .txt extensions that contain PEM-encoded certificate text. Binary DER-encoded files are not supported — convert them to PEM first if you need to inspect them here.
Is decoding my certificate safe?
Yes. Every step happens locally in your browser with JavaScript and the built-in Web Crypto API, and the fingerprints are computed on your device. Your certificate is never sent to any server. You can confirm this by watching the network tab in your browser's developer tools while you decode.
No comments yet. Be the first to comment!