Is the certificate sent to a server?

No. Parsing happens entirely in your browser via node-forge; fingerprints are computed by the Web Crypto API on the device. The cert never leaves the page — safe for internal CAs, customer certs, anything you wouldn't paste into a random web tool.

What formats are supported?

PEM-encoded X.509 v3 certificates — the standard format with `-----BEGIN CERTIFICATE-----` headers. Drop a .pem, .crt, or .cer file (text-based forms). For DER-encoded binary certs, convert to PEM first with `openssl x509 -inform DER -in cert.der -out cert.pem`.

Why does my chain only show one cert?

Each PEM block decodes a single certificate. If you paste a chain file with multiple BEGIN/END blocks, only the first is parsed. For chain inspection, decode each cert individually by pasting them one at a time.

What's the difference between Subject and Subject Alternative Names (SAN)?

Subject is the DN containing fields like Common Name (CN), Organization, Country. Modern TLS clients ignore CN for hostname matching and use SAN entries instead. If a server cert doesn't have SANs covering the hostname you're connecting to, browsers will reject it regardless of what CN says.

Why is SHA-1 still shown alongside SHA-256?

Many existing systems (certificate transparency logs, older monitoring tools, pinning configurations) still reference SHA-1 fingerprints. SHA-256 is the modern standard, but having SHA-1 available is useful when comparing against legacy records. The cert's *signature* security depends on the signature algorithm, not on which fingerprint you read.

Can I decode a CSR (certificate signing request)?

Not yet — this tool decodes signed certificates only. CSRs use a different ASN.1 structure (PKCS#10). A dedicated CSR decoder is on the roadmap; suggest it via the form linked in the footer if you want it prioritized.

X.509 Certificate Decoder

Paste a PEM-encoded X.509 certificate — inspect subject, issuer, validity window, SANs, key usage, and SHA fingerprints. Runs in your browser.

PEM certificate

Paste a certificate to see the breakdown.

Decoded entirely on your device.

Parsing uses node-forge in your browser. Fingerprints are computed via the native Web Crypto API. The certificate never leaves the page — safe for internal CAs, customer certs, anything you wouldn’t paste into a random web tool.

How to use it

1Paste a PEM block (starts with -----BEGIN CERTIFICATE-----), drop a .pem / .crt / .cer file, or hit Open file. The breakdown appears as you type.
2Read the validity banner first — green means valid, amber means expiring soon (≤30 days), red means already expired.
3Subject and Issuer panes show the distinguished name fields with human labels (Common name, Organization, Country, …).
4Subject alternative names list every hostname / IP / email the cert covers — the bit that actually matters for TLS server certs.
5Public Key section shows the algorithm (RSA / ECDSA) and size. Fingerprints pane has SHA-1 and SHA-256 in openssl colon format with one-click copy.

Common use cases

Sanity-check a TLS server certificate before renewal — confirm the SANs match the hostnames you expect.
Inspect a customer-provided certificate without piping it through openssl.
Compare two fingerprints by eye when verifying a cert pin.
Confirm a self-signed CA cert was generated with the expected key algorithm and lifetime.
Identify the issuer of a mystery cert pulled from a packet capture or a server's chain.

Frequently asked questions

Is the certificate sent to a server?: No. Parsing happens entirely in your browser via node-forge; fingerprints are computed by the Web Crypto API on the device. The cert never leaves the page — safe for internal CAs, customer certs, anything you wouldn't paste into a random web tool.
What formats are supported?: PEM-encoded X.509 v3 certificates — the standard format with `-----BEGIN CERTIFICATE-----` headers. Drop a .pem, .crt, or .cer file (text-based forms). For DER-encoded binary certs, convert to PEM first with `openssl x509 -inform DER -in cert.der -out cert.pem`.
Why does my chain only show one cert?: Each PEM block decodes a single certificate. If you paste a chain file with multiple BEGIN/END blocks, only the first is parsed. For chain inspection, decode each cert individually by pasting them one at a time.
What's the difference between Subject and Subject Alternative Names (SAN)?: Subject is the DN containing fields like Common Name (CN), Organization, Country. Modern TLS clients ignore CN for hostname matching and use SAN entries instead. If a server cert doesn't have SANs covering the hostname you're connecting to, browsers will reject it regardless of what CN says.
Why is SHA-1 still shown alongside SHA-256?: Many existing systems (certificate transparency logs, older monitoring tools, pinning configurations) still reference SHA-1 fingerprints. SHA-256 is the modern standard, but having SHA-1 available is useful when comparing against legacy records. The cert's *signature* security depends on the signature algorithm, not on which fingerprint you read.
Can I decode a CSR (certificate signing request)?: Not yet — this tool decodes signed certificates only. CSRs use a different ASN.1 structure (PKCS#10). A dedicated CSR decoder is on the roadmap; suggest it via the form linked in the footer if you want it prioritized.