Decode and analyze PEM-encoded X.509 SSL/TLS certificates. View subject, issuer, validity, extensions, and fingerprints
Your CI pipeline just failed with a cryptic certificate error, and you need to know what's inside that PEM file right now. Paste a single X.509 certificate and see its fields decoded in your browser: subject, issuer, validity dates, serial number, signature algorithm, public key algorithm and size, Subject Alternative Names, and the standard extensions.
Initializing in your browser…
Generate Certificate Signing Requests (CSR) for SSL/TLS certificates with RSA key pairs. Submit to CAs for certificate issuance
Convert certificates and keys between PEM (Base64) and DER (binary) formats. Supports certificates, keys, and CSRs
Generate self-signed SSL/TLS certificates for local development and testing. Includes Subject Alternative Names support
A TLS handshake is failing and you suspect the certificate is for the wrong host or already expired, but all you have is a PEM blob.
Pasted
-----BEGIN CERTIFICATE----- MIIDdzCCAl+gAwIBAgIE…(truncated)… -----END CERTIFICATE-----
Decoded fields
Subject: CN=api.example.com SAN: api.example.com, www.example.com Issuer: CN=R3, O=Let's Encrypt Valid from: 2024-01-10 Valid until: 2024-04-09 ← EXPIRED 36 days ago Key: RSA 2048 · Sig: SHA256-RSA
The decoder parses the certificate's ASN.1/DER structure entirely in your browser and surfaces the fields that actually break handshakes: the validity window and the Subject Alternative Names (modern clients ignore CN and match only SAN). Here the answer is immediate, the cert expired, so renew it; the host names were fine.
Your CI pipeline just failed with a cryptic certificate error, and you need to know what's inside that PEM file right now. Paste a single X.509 certificate and see its fields decoded in your browser: subject, issuer, validity dates, serial number, signature algorithm, public key algorithm and size, Subject Alternative Names, and the standard extensions.
X.509 certificates pack a lot of structured data into a Base64-encoded blob. This decoder parses, with node-forge, the subject and issuer distinguished names, serial number, validity period (and flags an expired certificate), the public key algorithm and key size (RSA modulus bits or ECDSA curve), and the SHA-1 and SHA-256 fingerprints. It fully expands the Subject Alternative Name list and basic constraints, and labels the key usage and extended key usage extensions. Other extensions such as authority/subject key identifier, CRL distribution points, authority information access (OCSP/AIA), and certificate policies are identified by name and shown as their raw hex value rather than fully decoded. It decodes one certificate at a time, not a full chain.
Decode the certificate to verify the SANs include the hostname you're connecting to.
Confirm a renewed certificate has the correct validity dates, key size, and SANs before deployment.
Read the subject, issuer, serial, and fingerprints of a certificate without running OpenSSL.
Examine a certificate provided by a third party before installing it in your trust store.
PEM format, the text block surrounded by -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- markers.
No. This decoder reads one certificate at a time. Paste the individual leaf or intermediate certificate you want to inspect.
No. Decoding happens entirely in your browser.
This runs as client-side JavaScript. Keys, tokens, payloads, and other inputs never leave your device.