Skip to main content
L
Loopaloo
Buy Us a Coffee
All ToolsImage ProcessingAudio ProcessingVideo ProcessingDocument & TextPDF ToolsCSV & Data AnalysisConverters & EncodersWeb ToolsMath & ScienceGames
Guides & BlogAboutContact
Buy Us a Coffee
L
Loopaloo

Free online tools for developers, designers, and content creators. All processing happens entirely in your browser - your files never leave your device. No uploads, no accounts, complete privacy.

support@loopaloo.com

Tool Categories

  • Image Tools
  • Audio Tools
  • Video Tools
  • Document & Text
  • PDF Tools
  • CSV & Data
  • Converters
  • Web Tools
  • Math & Science
  • Games

Company

  • About Us
  • Contact
  • Blog
  • FAQ

Legal

  • Privacy Policy
  • Terms of Service
  • Disclaimer

Support

Buy Us a Coffee

© 2026 Loopaloo. All rights reserved. Built with privacy in mind.

Privacy|Terms|Disclaimer
  1. Home
  2. Web Tools
  3. Certificate Decoder
Add to favorites

Certificate Decoder

Decode and analyze PEM-encoded X.509 SSL/TLS certificates. View subject, issuer, validity, extensions, and fingerprints

Your CI pipeline just failed with a cryptic certificate error, and you need to know what's inside that PEM file right now. Paste a single X.509 certificate and see its fields decoded in your browser: subject, issuer, validity dates, serial number, signature algorithm, public key algorithm and size, Subject Alternative Names, and the standard extensions.

Runs locally in your browserMore web toolsJump to full guide

Related reading

  • Understanding SSL/TLS Certificates: How HTTPS Keeps the Web Secure14 min read

Initializing in your browser…

You might also like

CSR Generator

Generate Certificate Signing Requests (CSR) for SSL/TLS certificates with RSA key pairs. Submit to CAs for certificate issuance

PEM/DER Converter

Convert certificates and keys between PEM (Base64) and DER (binary) formats. Supports certificates, keys, and CSRs

Self-Signed Certificate Generator

Generate self-signed SSL/TLS certificates for local development and testing. Includes Subject Alternative Names support

Certificate Decoder: a worked example

A TLS handshake is failing and you suspect the certificate is for the wrong host or already expired, but all you have is a PEM blob.

Pasted

-----BEGIN CERTIFICATE-----
MIIDdzCCAl+gAwIBAgIE…(truncated)…
-----END CERTIFICATE-----
Certificate Decoder produces

Decoded fields

Subject:     CN=api.example.com
SAN:         api.example.com, www.example.com
Issuer:      CN=R3, O=Let's Encrypt
Valid from:  2024-01-10
Valid until: 2024-04-09  ← EXPIRED 36 days ago
Key:         RSA 2048 · Sig: SHA256-RSA

The decoder parses the certificate's ASN.1/DER structure entirely in your browser and surfaces the fields that actually break handshakes: the validity window and the Subject Alternative Names (modern clients ignore CN and match only SAN). Here the answer is immediate, the cert expired, so renew it; the host names were fine.

About the Certificate Decoder

Your CI pipeline just failed with a cryptic certificate error, and you need to know what's inside that PEM file right now. Paste a single X.509 certificate and see its fields decoded in your browser: subject, issuer, validity dates, serial number, signature algorithm, public key algorithm and size, Subject Alternative Names, and the standard extensions.

Key features

  • X.509 field decoding (subject, issuer, serial, validity)
  • Subject Alternative Name listing
  • Key algorithm and size (RSA bits / ECDSA curve)
  • Validity period with expired-certificate flag
  • Key usage and extended key usage labels; other extensions shown as raw hex
  • SHA-1 and SHA-256 fingerprints
  • Client-side parsing, certificate never sent to a server

How to use

  1. 1Paste a single PEM-encoded certificate (the block starting with -----BEGIN CERTIFICATE-----).
  2. 2Review the decoded fields displayed in structured sections.
  3. 3Check validity dates, SANs, and key details.
  4. 4Note the expiry warning if the certificate is past its notAfter date.

What gets decoded

X.509 certificates pack a lot of structured data into a Base64-encoded blob. This decoder parses, with node-forge, the subject and issuer distinguished names, serial number, validity period (and flags an expired certificate), the public key algorithm and key size (RSA modulus bits or ECDSA curve), and the SHA-1 and SHA-256 fingerprints. It fully expands the Subject Alternative Name list and basic constraints, and labels the key usage and extended key usage extensions. Other extensions such as authority/subject key identifier, CRL distribution points, authority information access (OCSP/AIA), and certificate policies are identified by name and shown as their raw hex value rather than fully decoded. It decodes one certificate at a time, not a full chain.

Practical scenarios

  • Debugging TLS handshake failures

    Decode the certificate to verify the SANs include the hostname you're connecting to.

  • Certificate renewal verification

    Confirm a renewed certificate has the correct validity dates, key size, and SANs before deployment.

  • Quick field inspection

    Read the subject, issuer, serial, and fingerprints of a certificate without running OpenSSL.

  • Vendor certificate inspection

    Examine a certificate provided by a third party before installing it in your trust store.

Frequently asked questions

What format does the certificate need to be in?

PEM format, the text block surrounded by -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- markers.

Can I decode a whole certificate chain?

No. This decoder reads one certificate at a time. Paste the individual leaf or intermediate certificate you want to inspect.

Is my certificate data sent to a server?

No. Decoding happens entirely in your browser.

Related tools and how they differ

  • SSL Certificate Checker: Fetch a remote site's certificate via an OpenSSL command, then paste it back here; use it when you have a domain but not the PEM yet.
  • CSR Generator: Create a new signing request with subject fields and an RSA key; use it to start a cert, not to read an existing one.
  • Self-Signed Certificate Generator: Mint your own cert with SANs and a chosen validity for dev use; use it to produce a cert, not to decode one.
  • PEM/DER Converter: Turn a binary DER certificate into PEM so it can be pasted here; use it when your cert file will not decode as text.

Further reading

  • Understanding SSL/TLS Certificates: How HTTPS Keeps the Web Secure14 min read

Private by design

This runs as client-side JavaScript. Keys, tokens, payloads, and other inputs never leave your device.