SSL Certificate Decoder

Decode and inspect SSL/TLS certificates. Paste a PEM or CRT file to extract domain, issuer, expiry date, SANs, and fingerprints — entirely in your browser.

Free Runs in your browser

How to use

  1. 1 Paste a PEM-encoded certificate (beginning with -----BEGIN CERTIFICATE-----) into the textarea.
  2. 2 Click Decode and the certificate fields are extracted entirely in your browser.
  3. 3 Review the subject, issuer, validity dates, SANs (Subject Alternative Names), and key details.
  4. 4 No certificate data is sent to any server. The entire parsing happens client-side.

Key features

  • Decodes PEM certificates entirely in your browser with no data sent to any server
  • Shows validity period, issuer, subject, and all SANs (Subject Alternative Names)
  • Highlights expired or about-to-expire certificates
  • Useful for debugging TLS issues and certificate renewals

What is an SSL/TLS Certificate?

An SSL/TLS certificate is a digital document issued by a Certificate Authority (CA) that binds a public key to a domain name. When a browser connects to your site over HTTPS, it validates the certificate to confirm it's talking to the real server, not an impersonator.

Certificates are stored in PEM format: a Base64-encoded block between -----BEGIN CERTIFICATE----- markers. The raw data follows the X.509 standard and contains the domain, issuer, validity period, public key, Subject Alternative Names (SANs), and a CA signature.

Common Use Cases

Inspecting a cert before deploying

Verify that the CN, SANs, and expiry date are correct before installing a certificate on your server.

Checking expiry dates

Paste a cert from a server or file to quickly see when it expires, useful for auditing auto-renewal setups.

Verifying issuer and chain

Confirm the issuing CA and check whether the cert is DV, OV, or EV class.

Debugging mTLS and client certs

Decode client certificates used in mutual TLS (mTLS) to inspect their Subject DN and SANs.

Security audits

Extract fingerprints and key algorithms from certificates during a TLS configuration review.

CI/CD certificate validation

Decode certs stored as environment variables or secrets to verify them without a live server.

Key Certificate Fields Decoded

FieldWhat it tells you
Subject (CN)The domain the cert was issued for (e.g. example.com)
IssuerThe Certificate Authority that signed it (Let's Encrypt, DigiCert, etc.)
Valid from / toValidity window: certificates expire and must be renewed
SANsSubject Alternative Names: all domains/subdomains this cert covers
SHA-256 fingerprintUnique digest of the certificate, used to pin or verify it
Key algorithmRSA 2048/4096 or ECDSA P-256/P-384, determines cipher strength

Frequently Asked Questions

How do I decode an SSL certificate?

Copy the PEM content (including the -----BEGIN CERTIFICATE----- markers) and paste it into this decoder. The tool parses the Base64-encoded DER structure and displays all X.509 fields: issuer, subject, validity, SANs, public key, and fingerprint, in a readable format.

What's the difference between PEM, DER, and CRT formats?

PEM is a Base64-encoded format with header/footer lines, widely used in Apache, Nginx, and macOS. DER is the raw binary ASN.1 format, common on Windows and Java. CRT is a generic extension that can contain either PEM or DER. This tool accepts all three by detecting the format automatically.

How do I check if my SSL certificate is valid?

Paste the certificate here to see its validity period, issuer, and SANs. For a live check, you can also use our SSL Certificate Decoder tool to verify the certificate chain, expiry date, and revocation status by fetching it directly from a server.

What is a Subject Alternative Name (SAN)?

A SAN is an additional domain or subdomain that a single certificate covers. Modern browsers require SANs: the old Common Name (CN) field is no longer trusted for domain matching. A certificate for example.com typically also lists www.example.com as a SAN.

Why is my SSL certificate showing as "not trusted"?

This usually means the intermediate certificate is missing from the server configuration (incomplete chain). Use this decoder to check if the certificate includes the full chain, or use the SSL Certificate Decoder tool to fetch and inspect the complete chain presented by your server.