SSL Certificate Decoder
Parse PEM-encoded X.509 certificates and view subject, issuer, validity, SANs, and extensions
Paste a PEM-encoded X.509 certificate above to decode it.
Supports single certificates and full certificate chains.
You need to inspect an SSL certificate to check its expiration date, Subject Alternative Names, or issuer chain. This tool parses PEM-encoded X.509 certificates and displays all fields in a readable format — without sending the certificate to any server.
What Gets Decoded
- Subject: Common Name (CN), Organization, Country, State, Locality
- Issuer: Who signed this certificate
- Validity: Not Before, Not After, days remaining until expiration
- Serial Number: Unique certificate identifier
- Signature Algorithm: SHA-256 with RSA, ECDSA, etc.
- Public Key: Algorithm, key size in bits
- Subject Alternative Names (SANs): All domain names covered
- Extensions: Key Usage, Extended Key Usage, Basic Constraints, CA flag
How to Get a Certificate
To extract a server’s certificate for analysis:
# Using OpenSSL
echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -outform PEM
# Using curl (shows cert chain)
curl -v --cacert /dev/null https://example.com 2>&1 | grep -A 100 "BEGIN CERTIFICATE"Frequently Asked Questions
Does this tool validate the certificate? It decodes and displays the certificate fields. For chain validation, use the Certificate Chain Validator tool.
Can it read DER-format certificates?
Currently only PEM format (Base64-encoded with BEGIN/END markers) is supported. Convert DER to PEM using: openssl x509 -inform DER -in cert.der -outform PEM
Can it decode certificate chains? Yes. Paste multiple PEM certificates and each one will be decoded separately.