ð SSL Certificate Decoder
Paste a PEM or DER certificate — instantly see all X.509 fields
What Is the SSL Certificate Decoder?
SSL Certificate Decoder is a free, browser-based tool that decodes X.509 certificates (PEM/DER format). Paste any SSL/TLS certificate and instantly see Subject, Issuer, Validity dates, Serial Number, SHA-1 and SHA-256 fingerprints, Public Key information, Subject Alternative Names (SANs), and extensions. All parsing happens locally in your browser â your certificate data never leaves your device.
This tool decodes the certificate fields. It does not validate certificate chains, check certificate revocation (CRL/OCSP), or decrypt PKCS#12 containers. For chain validation, use openssl verify or your browser's security tab.
Key Features
- All Standard Fields: Subject, Issuer, Validity, Serial, Public Key, and more.
- SHA-1 & SHA-256 Fingerprints: Computed client-side using Web Crypto API â instant and private.
- Extension Decoding: SANs, Basic Constraints, Key Usage, Extended Key Usage fully parsed.
- Expiry Status: Color-coded status â valid, expired, expiring soon, or not yet valid.
ð When to Use the Certificate Decoder
SSL/TLS Troubleshooting: Quickly inspect a certificate to verify domain coverage, expiration, and issuer.
Security Auditing: Check certificate fingerprints and key types without command-line tools.
DevOps/CI: Verify certificates in pipelines by decoding PEM files directly in the browser.
Learning: Understand X.509 structure by exploring real certificates with human-readable output.
âï¸ How the SSL Certificate Decoder Works
The tool uses a custom, zero-dependency ASN.1 DER parser (~4KB) built specifically for X.509 certificates (RFC 5280). It decodes the PEM Base64 envelope, then walks the DER-encoded ASN.1 structure extracting each field. The Distinguished Name (Subject/Issuer) parser maps OIDs to readable labels (CN, O, OU, L, ST, C). Fingerprints are computed using the Web Crypto API's crypto.subtle.digest() â the same cryptographic primitives your browser uses for HTTPS. Unknown extensions are displayed honestly as raw OID + hex bytes rather than guessing. Everything runs in your browser; zero network requests.
How to Decode a Certificate
- Paste your certificate (PEM text starting with
-----BEGIN CERTIFICATE-----) or upload a file. - View the decoded fields â the certificate is parsed automatically.
- Copy any field or use the Copy All button for full output.
Supported Certificate Formats
| Format | Support |
|---|---|
| PEM (Base64, -----BEGIN-----) | â Yes |
| DER (binary upload) | â Yes |
| PKCS#12 (.pfx/.p12) | â No â encrypted container |
| PKCS#7 (.p7b) | â No â different format |
| Certificate chain | â First cert only |
Frequently Asked Questions
How do I decode an SSL certificate?
Paste the PEM text (-----BEGIN CERTIFICATE-----) into the input area, or upload a .crt/.pem file. The certificate is decoded automatically.
What's the difference between PEM and DER?
PEM is Base64-encoded with -----BEGIN/END----- markers. DER is the raw binary ASN.1 encoding. This tool accepts both.
Can I check when my certificate expires?
Yes. The Validity section shows Not Before/Not After dates and days remaining. Expired certificates show a red status badge.
Does this tool verify certificate chains?
No. This is a decoder, not a validator. It shows the first certificate only. Use openssl verify for chain validation.
Is my certificate data sent to a server?
No. All parsing is 100% client-side in your browser using our own ASN.1 parser. Zero network requests.
What are SANs (Subject Alternative Names)?
SANs are additional domains or IPs the certificate covers. They appear in the Extensions section.
Can I decode a self-signed certificate?
Yes. Self-signed, internal CA, and public CA certificates all use the same X.509 format.
Does this support PKCS#12 (.pfx/.p12) files?
No. PKCS#12 files are encrypted containers requiring a password. This tool decodes X.509 certificates only.