// identify and inspect PEM blocks instantly
Identify PEM block types and extract certificate or key metadata instantly. No upload, fully browser-based, private and free.
Awaiting PEM input
Paste your PEM data and click InspectCopy the full PEM content — including the -----BEGIN...----- and -----END...----- markers — into the input box. Multiple blocks are supported.
Hit the Inspect PEM button. The tool identifies each block type and extracts relevant metadata for certificates and CSRs.
Each block is displayed with its category, key details, expiry status, and any security warnings. Copy results as needed.
PEM (Privacy Enhanced Mail) is a Base64-encoded format used to store cryptographic objects — certificates, keys, CSRs, and more. This tool parses PEM blocks, identifies their type, and surfaces useful metadata without ever sending your data to a server. All processing is fully server-side PHP using OpenSSL, and private key content is never returned or logged.
Certificates and CSRs are public by nature — safe to inspect anywhere. For private keys, the tool will display a warning and never returns the key material itself. That said, as a best practice, avoid pasting production private keys into any online tool. Use this for non-sensitive or test keys.
The tool recognizes all standard PEM types: CERTIFICATE, CERTIFICATE REQUEST, RSA/EC/DSA PRIVATE KEY, PRIVATE KEY, ENCRYPTED PRIVATE KEY, PUBLIC KEY, RSA PUBLIC KEY, DH PARAMETERS, CRL, PKCS7, and OPENSSH PRIVATE KEY. X.509 metadata is extracted for certificates and CSRs specifically.
Yes. Paste a full certificate chain or any PEM file containing multiple blocks — the tool will parse and display each block separately with its own metadata panel.
PEM (Privacy Enhanced Mail) is a container format that encodes binary DER data in Base64, wrapped with -----BEGIN TYPE----- and -----END TYPE----- markers. It's the most common format for TLS certificates, SSH keys, and code-signing certificates.
This can happen with certificates using non-standard extensions, very old formats, or DER-encoded certificates that haven't been converted to Base64. Try converting with openssl x509 -inform DER -in cert.crt -out cert.pem first.
Paste your certificate into the input box and click Inspect. The results will show the "Valid To" date and automatically flag expired or soon-to-expire certificates with a clear warning label.
A PEM Inspector is a tool that reads PEM-formatted cryptographic data and identifies what type of object each block represents — whether that's an X.509 certificate, a certificate signing request (CSR), a public key, a private key, or other cryptographic materials. Beyond type identification, a proper PEM inspector extracts the metadata embedded within each block so you can understand its contents without needing to run command-line tools like OpenSSL.
This PEM Inspector runs entirely server-side using PHP's OpenSSL extension, meaning you get accurate, real metadata extraction — not just superficial pattern matching. Certificate details like subject, issuer, serial number, SANs, key usage, and expiry dates are all surfaced in a clear, readable format.
💡 Looking for premium web development assets? MonsterONE offers unlimited downloads of templates, UI kits, and assets — worth checking out.
PEM stands for Privacy Enhanced Mail — a somewhat misleading name for a format that has far outlived its email origins. Today, PEM is the de facto standard encoding for SSL/TLS certificates, RSA and EC private keys, certificate signing requests, and various other cryptographic objects used across the web infrastructure.
At its core, a PEM file is simply binary DER (Distinguished Encoding Rules) data encoded in Base64 and wrapped in ASCII header and footer lines:
-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIJ...base64 data...
-----END CERTIFICATE-----The text between BEGIN and END tells you the type of the encoded object. This is the first thing a PEM inspector checks — the block type header — before attempting any deeper parsing.
CERTIFICATE — An X.509 certificate, typically an SSL/TLS certificate, intermediate CA certificate, or root CA certificate. Contains the public key plus identity information and is signed by a certificate authority.
CERTIFICATE REQUEST — Also called a CSR (Certificate Signing Request). Generated by a server admin and submitted to a CA to obtain a signed certificate. Contains the subject's public key and distinguished name.
PRIVATE KEY and RSA PRIVATE KEY — The private half of an asymmetric key pair. PKCS#8 format ("PRIVATE KEY") and PKCS#1 format ("RSA PRIVATE KEY") are both common. These should be kept secret at all times.
PUBLIC KEY — The public half of an asymmetric key pair. Safe to distribute. Typically in PKCS#8 SubjectPublicKeyInfo format.
EC PRIVATE KEY — An Elliptic Curve private key in SEC1/PKCS#1 format, commonly used for ECDSA and ECDH operations.
ENCRYPTED PRIVATE KEY — A password-protected private key in PKCS#8 EncryptedPrivateKeyInfo format. Cannot be fully parsed without the password.
DH PARAMETERS — Diffie-Hellman parameters used in key exchange. The "-----BEGIN DH PARAMETERS-----" block contains the prime and generator values for DH negotiation.
CRL — A Certificate Revocation List. Published by CAs to list certificates that have been revoked before their expiry.
X.509 certificates contain a rich set of fields that define the identity and constraints of the certificate. When you inspect a certificate with this tool, here's what each field means:
Subject — The entity the certificate was issued to. For SSL/TLS certificates, the CN (Common Name) typically contains the primary domain. The O (Organization) and C (Country) fields provide additional identity context.
Issuer — The CA (Certificate Authority) that signed the certificate. If Subject and Issuer are identical, the certificate is self-signed — common for development environments and root CAs, but not suitable for public-facing HTTPS.
Subject Alternative Names (SANs) — Modern browsers require this extension. It lists all domain names and IP addresses the certificate is valid for. The CN field alone is no longer trusted by most browsers.
Key Usage and Extended Key Usage — These extensions define what the certificate's key can be used for. A server certificate typically has "Digital Signature" in Key Usage and "TLS Web Server Authentication" in Extended Key Usage. Code signing certificates have different values.
Serial Number — A unique identifier assigned by the CA. Used for revocation tracking.
Validity Period — The Valid From and Valid To dates define the certificate's lifetime. Modern SSL/TLS certificates are limited to 398 days (about 13 months) by browser policies.
You can create a self-signed certificate for development or testing purposes using OpenSSL's command-line tools:
# Generate a private key and self-signed certificate
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes \
-subj "/CN=localhost/O=Test/C=US"The resulting cert.pem file can be pasted directly into this PEM Inspector to verify its contents before deploying it to your development environment.
To generate a CSR for a production certificate, use:
# Generate private key and CSR
openssl req -newkey rsa:2048 -keyout private.key -out request.csr -nodes \
-subj "/CN=example.com/O=YourOrg/C=US"Cryptographic objects can be stored in multiple container formats. PEM is the Base64 text encoding of DER binary data. DER (Distinguished Encoding Rules) is the raw binary form — the same data, just not Base64-encoded. DER files typically use .der or .cer extensions and cannot be opened in a text editor meaningfully.
PFX or P12 (PKCS#12) is a different format entirely — it bundles a certificate, intermediate chain, and private key into a single encrypted archive. This format is common on Windows systems and in Java keystores. To inspect a PFX file with this tool, you'd first need to export its contents to PEM using: openssl pkcs12 -in file.p12 -out file.pem -nodes.
Certificates and public keys are designed to be public — you can safely paste them into any tool, share them openly, or include them in your codebase. The private key is a different matter. A private key must be kept secret; anyone with access to it can impersonate your server or decrypt communications.
When you paste a private key into this PEM Inspector, the tool detects it, displays a security warning, and reports metadata about it (key type, bit length) without ever returning the key data itself in the response. For maximum security with production private keys, use OpenSSL locally: openssl rsa -in key.pem -text -noout.
Certificate files served publicly via HTTPS (like those returned in a TLS handshake) are inherently public and can be freely inspected. Tools like openssl s_client -connect example.com:443 will show you exactly what a server is presenting to clients.