No Login Data Private Local Save

Certificate Decoder (PEM) – Online View X.509 Details

20
0
0
0

Certificate Decoder (PEM)

Paste your X.509 certificate in PEM format to decode and inspect all details instantly.

Paste PEM or drag & drop a file

Initializing certificate parser...

Certificate Valid
Valid
Subject
Issuer
Validity
Certificate Details
Fingerprints
Public Key Info

No certificate decoded yet

Paste a PEM certificate above, upload a file, or load the example to get started.

Frequently Asked Questions

An X.509 certificate is a digital document defined by the ITU-T X.509 standard. It binds a public key to an identity (such as a domain name or organization) and is issued by a trusted Certificate Authority (CA). It is the foundation of TLS/SSL, used to secure HTTPS connections, email encryption (S/MIME), code signing, and more. Each certificate contains the subject's identity, the issuer's identity, validity dates, public key, and cryptographic signatures.

PEM (Privacy-Enhanced Mail) is a base64-encoded format for certificates and keys, wrapped between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- headers. It is the most widely used format for X.509 certificates on web servers (Apache, Nginx), and is easily copied and pasted as plain text. The binary equivalent is DER format, which is not human-readable. You can convert between PEM and DER using OpenSSL commands.

You can obtain the PEM certificate from your web server (e.g., the .crt or .pem file), or export it from your browser by clicking the padlock icon in the address bar → "Connection is secure" → "Certificate is valid" → "Export". You can also use OpenSSL to fetch a remote server's certificate: openssl s_client -connect example.com:443 -showcerts.

Certificate fingerprints are cryptographic hashes of the entire certificate (in DER binary form). They serve as unique identifiers for a certificate. SHA-256 is the modern standard and is used for certificate pinning and verification. SHA-1 is deprecated due to collision vulnerabilities but is still displayed for legacy compatibility. You can verify a certificate by comparing its fingerprint with the one published by the issuer.

The Subject field identifies the entity the certificate was issued to (e.g., a website domain or organization). The Issuer field identifies the Certificate Authority (CA) that signed and issued the certificate. For self-signed certificates, the Subject and Issuer are identical. In a certificate chain, the Issuer of one certificate is the Subject of the next certificate up the chain, ultimately reaching a trusted root CA.

Subject Alternative Names (SANs) are an X.509 extension that allows a certificate to be valid for multiple hostnames, IP addresses, or email addresses. Modern browsers require that the domain you are visiting matches one of the SAN entries (or the Common Name). A single certificate can cover example.com, www.example.com, and api.example.com via SANs, eliminating the need for separate certificates for each subdomain.

Paste your certificate into this decoder tool and check the Validity section. It shows Not Before (when the certificate becomes valid) and Not After (when it expires). Our tool automatically calculates the remaining days and displays a clear status indicator: green for valid, amber for expiring within 30 days, and red for expired. You can also use openssl x509 -in cert.pem -noout -dates on the command line.

A self-signed certificate is one where the Subject and Issuer are identical — the certificate signs itself rather than being signed by a trusted CA. These are commonly used for development, testing, or internal networks. Browsers display security warnings for self-signed certificates because they cannot be verified against a trusted root. For production public-facing websites, always use a certificate from a trusted CA like Let's Encrypt, DigiCert, or Sectigo.
🔧 Related Tools