SSL Certificate Decoder

How to use

1. 1Copy a PEM certificate block (one starting with -----BEGIN CERTIFICATE----- and ending with -----END CERTIFICATE-----), or a full fullchain.pem with several blocks concatenated together.
2. 2Paste it into the input. The Try a sample buttons load the publicly distributed ISRG Root X1 and Let's Encrypt R3 intermediate so you can see a real decoded certificate immediately.
3. 3Read each decoded certificate card for subject and issuer attributes, validity window with expiry status, every Subject Alternative Name, public key algorithm and size, and the standard X.509 v3 extensions.
4. 4Use the Copy hex buttons next to the SHA-1, SHA-256, and SHA-512 fingerprints when you need a fingerprint for certificate pinning or to compare against a server-reported value.
5. 5Use Copy summary on any certificate to grab a plain-text report that mirrors the openssl x509 -text style for sharing in tickets or release notes.

About this tool

SSL Certificate Decoder parses a PEM-encoded X.509 certificate into a readable view in your browser, with no upload and no server round-trip. Paste the certificate block (or a full chain of BEGIN CERTIFICATE / END CERTIFICATE blocks) and the tool walks the ASN.1 DER bytes to extract the version, serial number (decimal and colon-separated hex), signature algorithm, issuer and subject distinguished names (CN, O, OU, C, L, ST, emailAddress, and more), the validity window (notBefore and notAfter in ISO 8601 plus a relative label that flags certificates that are not yet valid, expiring within thirty days, or already expired), the subject public key information (RSA modulus bit length and exponent, named EC curve like prime256v1 / secp384r1 / secp521r1, Ed25519, or DSA), every standard X.509 v3 extension (Basic Constraints with the CA flag and path length, Key Usage, Extended Key Usage with friendly names like TLS Web Server Authentication, Subject Alternative Name with DNS, IP, URI, and email entries, Authority and Subject Key Identifiers, plus any unrecognized OIDs), and SHA-1, SHA-256, and SHA-512 fingerprints computed via the browser SubtleCrypto API. Useful for confirming the common name and SAN list on a Let's Encrypt or AWS-issued certificate before deploying, checking which certificate authority signed a server response, finding the SHA-256 fingerprint of a self-signed certificate for pinning, debugging a TLS handshake failure where the wrong intermediate was served, or just reading the contents of a chain.pem without running openssl x509 -text. Everything is local: the certificate text you paste, including any private deployment details, never leaves your device.

Free to use. Works in your browser. No signup, no login.