// decode X.509 certificates and inspect every field
Decode SSL/TLS X.509 certificates from PEM format instantly. View subject, issuer, SANs, validity dates, public key, fingerprints, and extensions. Browser-based, free, no signup.
BEGIN/END headersopenssl x509 -in cert.pem -textDecoded certificate fields appear here
Paste a PEM certificate on the left and click DecodeCopy a PEM certificate from your server, browser, or run openssl x509 -in cert.pem -text. Include the full -----BEGIN CERTIFICATE----- header and footer.
Paste the certificate (or an entire chain) into the input and click Decode. Multiple certificates in a chain are parsed and shown in separate tabs.
View the validity status, subject and issuer distinguished names, Subject Alternative Names, public key info, key usages, and SHA-1/SHA-256 fingerprints.
An X.509 certificate is an ASN.1-encoded data structure containing a public key, identity information, validity dates, and a CA signature. PEM format is the Base64-encoded DER representation bookended by -----BEGIN CERTIFICATE----- headers. This tool decodes the PEM, parses the ASN.1 structure, and presents every field in a readable format — all in your browser using the Web Crypto API.
Yes. X.509 certificates contain only public information — the public key, domain names, issuer, and validity dates. There is no sensitive data in a certificate that could be exploited if it were intercepted. Additionally, all parsing happens entirely in your browser with no server upload. The certificate is processed by JavaScript running locally on your device.
Subject Alternative Names (SANs) are the list of domain names, IP addresses, and other identifiers that a certificate is valid for. Modern browsers require that certificates use SANs (rather than the deprecated Common Name field) to match domains. A wildcard SAN like *.example.com covers all single-level subdomains. The SAN list is the authoritative source for what domains a certificate protects.
DER (Distinguished Encoding Rules) is the binary ASN.1 serialization of the certificate. PEM (Privacy Enhanced Mail) is the same binary data encoded as Base64 and wrapped with -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- headers. PEM is the most common format for file-based certificates. This tool accepts PEM format — if you have a DER (.der, .cer) file, convert it first with openssl x509 -inform der -in cert.der -out cert.pem.
A certificate chain (or trust chain) consists of multiple certificates: the end-entity certificate (your domain's cert), one or more intermediate CA certificates, and the root CA certificate. Browsers verify the chain from your certificate up to a trusted root. Paste the full chain (end-entity first, then intermediates) to see each certificate parsed separately in tabs. This helps debug chain-of-trust issues.
A fingerprint is the SHA-1 or SHA-256 hash of the DER-encoded certificate bytes. It uniquely identifies a specific certificate and is used to verify you have the exact certificate you expect — not a different one with the same subject name. SHA-1 fingerprints are still widely used for display purposes (not for trust); SHA-256 fingerprints are preferred for security-sensitive comparisons.
You can export a live certificate using OpenSSL: openssl s_client -connect example.com:443 -showcerts 2>/dev/null </dev/null | openssl x509 -outform PEM. In Chrome or Firefox, click the padlock icon → "Certificate" → "Details" → "Export". On macOS, you can drag a certificate from Keychain Access. The exported file can be opened in any text editor to see the PEM contents.
Reading an SSL certificate typically requires openssl x509 -text or a specialized desktop tool. This decoder eliminates that dependency — paste any PEM certificate and every field is instantly presented in a structured, readable format directly in the browser.
An X.509 v3 certificate contains: a serial number for identification, a validity period (not before / not after dates), the subject distinguished name identifying the entity (CN, O, OU, L, ST, C), the issuer distinguished name of the signing CA, the public key and its algorithm, and a set of extensions. The v3 extensions carry important information including the Subject Alternative Names (SANs), key usage constraints, certificate policies, and the CRL distribution points for revocation checking.
Certificate Transparency (CT) logs are append-only public records of every certificate issued by a trusted CA. Most modern TLS certificates include Signed Certificate Timestamps (SCTs) embedded as extensions, proving the certificate was submitted to CT logs. The SHA-256 fingerprint of any certificate can be looked up in CT logs like crt.sh to find related certificates, see when it was issued, and verify it against the CA's records.