X.509 Certificate Decoder
Paste a PEM-encoded X.509 certificate — inspect subject, issuer, validity window, SANs, key usage, and SHA fingerprints. Runs in your browser.
PEM certificate
Paste a certificate to see the breakdown.
Decoded entirely on your device.
Parsing uses node-forge in your browser. Fingerprints are computed via the native Web Crypto API. The certificate never leaves the page — safe for internal CAs, customer certs, anything you wouldn’t paste into a random web tool.
How to use it
- 1Paste a PEM block (starts with -----BEGIN CERTIFICATE-----), drop a .pem / .crt / .cer file, or hit Open file. The breakdown appears as you type.
- 2Read the validity banner first — green means valid, amber means expiring soon (≤30 days), red means already expired.
- 3Subject and Issuer panes show the distinguished name fields with human labels (Common name, Organization, Country, …).
- 4Subject alternative names list every hostname / IP / email the cert covers — the bit that actually matters for TLS server certs.
- 5Public Key section shows the algorithm (RSA / ECDSA) and size. Fingerprints pane has SHA-1 and SHA-256 in openssl colon format with one-click copy.
Common use cases
- Sanity-check a TLS server certificate before renewal — confirm the SANs match the hostnames you expect.
- Inspect a customer-provided certificate without piping it through openssl.
- Compare two fingerprints by eye when verifying a cert pin.
- Confirm a self-signed CA cert was generated with the expected key algorithm and lifetime.
- Identify the issuer of a mystery cert pulled from a packet capture or a server's chain.
Frequently asked questions
- Is the certificate sent to a server?
- No. Parsing happens entirely in your browser via node-forge; fingerprints are computed by the Web Crypto API on the device. The cert never leaves the page — safe for internal CAs, customer certs, anything you wouldn't paste into a random web tool.
- What formats are supported?
- PEM-encoded X.509 v3 certificates — the standard format with `-----BEGIN CERTIFICATE-----` headers. Drop a .pem, .crt, or .cer file (text-based forms). For DER-encoded binary certs, convert to PEM first with `openssl x509 -inform DER -in cert.der -out cert.pem`.
- Why does my chain only show one cert?
- Each PEM block decodes a single certificate. If you paste a chain file with multiple BEGIN/END blocks, only the first is parsed. For chain inspection, decode each cert individually by pasting them one at a time.
- What's the difference between Subject and Subject Alternative Names (SAN)?
- Subject is the DN containing fields like Common Name (CN), Organization, Country. Modern TLS clients ignore CN for hostname matching and use SAN entries instead. If a server cert doesn't have SANs covering the hostname you're connecting to, browsers will reject it regardless of what CN says.
- Why is SHA-1 still shown alongside SHA-256?
- Many existing systems (certificate transparency logs, older monitoring tools, pinning configurations) still reference SHA-1 fingerprints. SHA-256 is the modern standard, but having SHA-1 available is useful when comparing against legacy records. The cert's *signature* security depends on the signature algorithm, not on which fingerprint you read.
- Can I decode a CSR (certificate signing request)?
- Not yet — this tool decodes signed certificates only. CSRs use a different ASN.1 structure (PKCS#10). A dedicated CSR decoder is on the roadmap; suggest it via the form linked in the footer if you want it prioritized.
Try next
JWT Decoder
Inspect the header, payload, and expiry of any JSON Web Token — with optional on-device AI that explains what the token grants in plain English.
RSA Key Pair Generator
Generate RSA public/private key pairs in PEM format — 2048 or 4096-bit, PKCS#1 or PKCS#8.
Hash Generator
Generate MD5, SHA-1, SHA-256, and SHA-512 hashes in your browser.