SSL Certificate Decoder
Decode and inspect SSL/TLS certificates. Paste a PEM or CRT file to extract domain, issuer, expiry date, SANs, and fingerprints — entirely in your browser.
How to use
- 1 Paste a PEM-encoded certificate (beginning with -----BEGIN CERTIFICATE-----) into the textarea.
- 2 Click Decode and the certificate fields are extracted entirely in your browser.
- 3 Review the subject, issuer, validity dates, SANs (Subject Alternative Names), and key details.
- 4 No certificate data is sent to any server. The entire parsing happens client-side.
Key features
- Decodes PEM certificates entirely in your browser with no data sent to any server
- Shows validity period, issuer, subject, and all SANs (Subject Alternative Names)
- Highlights expired or about-to-expire certificates
- Useful for debugging TLS issues and certificate renewals
What is an SSL/TLS Certificate?
An SSL/TLS certificate is a digital document issued by a Certificate Authority (CA) that binds a public key to a domain name. When a browser connects to your site over HTTPS, it validates the certificate to confirm it's talking to the real server, not an impersonator.
Certificates are stored in PEM format: a Base64-encoded block between -----BEGIN CERTIFICATE----- markers. The raw data follows the X.509 standard and contains the domain, issuer, validity period, public key, Subject Alternative Names (SANs), and a CA signature.
Common Use Cases
Inspecting a cert before deploying
Verify that the CN, SANs, and expiry date are correct before installing a certificate on your server.
Checking expiry dates
Paste a cert from a server or file to quickly see when it expires, useful for auditing auto-renewal setups.
Verifying issuer and chain
Confirm the issuing CA and check whether the cert is DV, OV, or EV class.
Debugging mTLS and client certs
Decode client certificates used in mutual TLS (mTLS) to inspect their Subject DN and SANs.
Security audits
Extract fingerprints and key algorithms from certificates during a TLS configuration review.
CI/CD certificate validation
Decode certs stored as environment variables or secrets to verify them without a live server.
Key Certificate Fields Decoded
| Field | What it tells you |
|---|---|
| Subject (CN) | The domain the cert was issued for (e.g. example.com) |
| Issuer | The Certificate Authority that signed it (Let's Encrypt, DigiCert, etc.) |
| Valid from / to | Validity window: certificates expire and must be renewed |
| SANs | Subject Alternative Names: all domains/subdomains this cert covers |
| SHA-256 fingerprint | Unique digest of the certificate, used to pin or verify it |
| Key algorithm | RSA 2048/4096 or ECDSA P-256/P-384, determines cipher strength |
Frequently Asked Questions
How do I decode an SSL certificate?
Copy the PEM content (including the -----BEGIN CERTIFICATE----- markers) and paste it into this decoder. The tool parses the Base64-encoded DER structure and displays all X.509 fields: issuer, subject, validity, SANs, public key, and fingerprint, in a readable format.
What's the difference between PEM, DER, and CRT formats?
PEM is a Base64-encoded format with header/footer lines, widely used in Apache, Nginx, and macOS. DER is the raw binary ASN.1 format, common on Windows and Java. CRT is a generic extension that can contain either PEM or DER. This tool accepts all three by detecting the format automatically.
How do I check if my SSL certificate is valid?
Paste the certificate here to see its validity period, issuer, and SANs. For a live check, you can also use our SSL Certificate Decoder tool to verify the certificate chain, expiry date, and revocation status by fetching it directly from a server.
What is a Subject Alternative Name (SAN)?
A SAN is an additional domain or subdomain that a single certificate covers. Modern browsers require SANs: the old Common Name (CN) field is no longer trusted for domain matching. A certificate for example.com typically also lists www.example.com as a SAN.
Why is my SSL certificate showing as "not trusted"?
This usually means the intermediate certificate is missing from the server configuration (incomplete chain). Use this decoder to check if the certificate includes the full chain, or use the SSL Certificate Decoder tool to fetch and inspect the complete chain presented by your server.