SSL Certificate Decoder

Decode PEM certificates online. View subject, issuer, validity dates, and key details. 100% client side.

About Certificate Decoding

PEM certificates are Base64-encoded X.509 certificates wrapped in -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- markers. This tool extracts and displays the certificate details.

Related Tools

Decode PEM Certificates Online

View subject, issuer, validity dates, SANs, serial number, and key info. 100% client side.

Reading X.509 Certificates Without Touching the Server

Every TLS handshake on the internet relies on X.509 certificates, but reading one is rarely straightforward — the format is ASN.1 wrapped in DER and then base64-encoded as PEM. When you need to know what's actually inside a cert (subject, SANs, issuer, validity, key usage, fingerprint), this decoder gives you a structured view in seconds.

What an X.509 certificate contains

  • Subject — who the cert was issued to (CN, O, OU, location fields).
  • Issuer — the CA that signed the cert.
  • Validity period — Not Before / Not After timestamps.
  • Public key — algorithm (RSA / ECDSA / Ed25519) and key size.
  • Subject Alternative Names (SANs) — the canonical list of hostnames the cert is valid for. Modern browsers ignore the CN entirely.
  • Extensions — Key Usage, Extended Key Usage, AIA, CRL Distribution Points, basic constraints.
  • Signature algorithm + value — how the issuer signed everything above.

When you need a decoder

Anyone running production TLS will hit the same scenarios repeatedly: a certificate renewal that doesn't include all the expected SANs, a cross-signed intermediate that's missing from the chain, a load balancer presenting an expired or wrong cert, or a client failing to validate a server cert because the client doesn't trust the issuer. Decoding the offending cert is always step one of the diagnostic.

SecOps engineers use cert decoders during audits to verify CA pinning rules, check for SHA-1 signatures (still surfaced occasionally in legacy systems), and inspect mTLS client certs presented during onboarding. Compliance reviews often require listing every certificate's expiry date, key length, and signature algorithm — a task this tool reduces to copy-paste.

PEM, DER, PKCS#7, PKCS#12 — which format do I have?

  • PEM (-----BEGIN CERTIFICATE----- headers, base64 body): paste directly.
  • DER (binary): convert to PEM with openssl x509 -inform der -in cert.der -out cert.pem first.
  • PKCS#7 (.p7b, .p7c): a chain bundle, often used by Microsoft tools. Extract individual certs with openssl pkcs7 -in chain.p7b -print_certs.
  • PKCS#12 (.pfx, .p12): an encrypted bundle of cert + key. Decrypt with openssl pkcs12 -in keystore.pfx -nokeys -out cert.pem.

Common decoder pitfalls

  • Pasting the chain instead of just the leaf. Fine — but make sure you're inspecting the right block.
  • Trailing whitespace. Some terminals add invisible characters that break the base64 decode. Strip and re-paste.
  • Wrong block headers. A private key starts with -----BEGIN PRIVATE KEY-----, not -----BEGIN CERTIFICATE-----; decoders will refuse non-cert blocks.

This decoder runs entirely in your browser. Pasted certs never leave your machine — important when you're inspecting a private internal CA or a freshly issued production cert.

Frequently Asked Questions

Does the cert decoder support EC and Ed25519 keys?

Yes — RSA, ECDSA (P-256/P-384/P-521), and Ed25519 are all parsed correctly. The public-key algorithm and curve appear in the decoded output.

Can I decode the entire chain at once?

Paste the full PEM chain and the decoder will surface each certificate in order, leaf first.

How do I check what a remote server is presenting?

Run "openssl s_client -connect host:443 -servername host -showcerts" then paste the captured PEM blocks here.

Are certificates uploaded to your server?

No — parsing happens in JavaScript locally. Nothing is sent over the network.