X.509 / SSL Certificate Decoder

Paste a PEM-encoded certificate to inspect subject, issuer, validity window, SAN entries, fingerprints, and extensions — everything happens in your browser

PEM input

Decoded certificate

Paste a certificate or drop a .pem / .crt / .cer file to begin.

X.509 / SSL Certificate Decoder — Inspect PEM Certificates Online

Free, privacy-friendly X.509 certificate decoder. Paste any PEM-encoded SSL/TLS certificate to inspect subject, issuer, SAN, validity, SHA-1 and SHA-256 fingerprints, public-key details, and extensions. Parses entirely in your browser — your certificate never leaves your device.

Можливості

  • Decode PEM-encoded X.509 certificates: subject, issuer, validity, SAN, fingerprints, and full extension set
  • Instant expiry status badge (valid / expiring within 30 days / expired / not yet valid) with days remaining
  • SHA-1 and SHA-256 fingerprints with one-click copy — handy for pinning, certificate transparency lookup, or trust-store comparison
  • Reads RSA modulus length and ECDSA named curve, plus signature algorithm and serial number in colon-separated hex
  • Drag a .pem, .crt, .cer, or .der file into the input zone — nothing is uploaded, all parsing happens locally

Як використовувати

  1. Copy the PEM block from your certificate, including the BEGIN CERTIFICATE and END CERTIFICATE markers, or drag the certificate file onto the input panel.
  2. Paste it into the input on the left. The decoder runs immediately — there is no parse button to click.
  3. Inspect the validity badge, fingerprints, and SAN list on the right. Copy any fingerprint or value to your clipboard for use elsewhere.

Поради та найкращі практики

  • If you paste a certificate and see a parse error, check that the PEM block includes both header and footer lines and that no characters were corrupted by line wrapping or Word auto-formatting.
  • A certificate's Subject Key Identifier on a parent CA matches the Authority Key Identifier on the child — that's how chains are wired up.
  • Modern browsers no longer trust certificates with SHA-1 signatures; if you see SHA-1 in the signature algorithm, the certificate will likely be rejected even if it has not expired.
  • EC certificates use a named curve (P-256, P-384) instead of a modulus length; the decoder shows that in the public-key field.
  • To extract just the public key for pinning purposes, the SHA-256 of the full certificate is what most pinning libraries use — this tool gives you that hash directly.

Запитання та відповіді

Is my certificate uploaded anywhere?

No. The decoder runs entirely in your browser using the @peculiar/x509 library and the Web Crypto API. The certificate, its contents, and any private metadata never leave your device. There is no backend involved in parsing.

Which certificate formats are supported?

PEM (the text format with BEGIN CERTIFICATE / END CERTIFICATE markers) is the primary input. The library can also handle DER bytes if you upload a binary .der or .cer file — the decoder will read it and present the same structured view.

How is the SHA-1 / SHA-256 fingerprint computed?

Fingerprints are computed over the entire DER-encoded certificate, not just the public key. SHA-256 is the modern standard for certificate pinning; SHA-1 is shown for legacy compatibility with tools and trust-store comparisons that still display the older hash.

What does Subject Alternative Name (SAN) mean?

The Subject Alternative Name extension lists every host, IP address, or email the certificate is valid for. Modern browsers ignore the Common Name and rely entirely on SAN — so a TLS certificate for example.com almost always lists both example.com and www.example.com (and any other hosts) as DNS SAN entries.

What does 'CA: TRUE' mean in basic constraints?

It marks the certificate as a Certificate Authority — it can sign other certificates. Path-length constraint, when present, caps how many intermediate CAs may appear in a chain below it. A leaf TLS certificate for your website should normally show CA: FALSE.

What's the difference between Key Usage and Extended Key Usage?

Key Usage is the low-level cryptographic operations the key may perform — Digital Signature, Key Encipherment, Certificate Sign, and so on. Extended Key Usage (EKU) is a higher-level purpose declaration, such as TLS Web Server Authentication or Code Signing. Browsers require an explicit serverAuth EKU on TLS leaf certificates.

Why does my certificate show 'expiring soon'?

The decoder flags any certificate whose 'Not After' date is within 30 days as expiring soon — that's a common threshold for triggering renewal in monitoring systems. If you see this for a production certificate, schedule the renewal now.

Does this support certificate chains?

It decodes a single certificate at a time. If you paste multiple BEGIN/END blocks, only the first one is parsed. To inspect a chain, paste each certificate (leaf, intermediate, root) one at a time and compare Subject Key Identifier / Authority Key Identifier to verify the linking.

Пов'язані інструменти

Password GeneratorHash GeneratorJWT Decoder & VerifierPassword Strength CheckerSecure Note SharerFile Hash VerifierJWT GeneratorCSP Header GeneratorText Encrypt/DecryptSRI Hash GeneratorPGP Encrypt, Decrypt & Generate KeysIP Address FinderCSV Cleaner & NormalizerMarkdown PreviewerAPI Rate Limiting CalculatorXML ⇄ JSON ConverterCSV ⇄ JSON ConverterUnit Converter