Certificate Decoder

Paste an X.509 certificate in PEM format to inspect its subject, issuer, validity, SANs, key details, and fingerprint — decoded entirely in your browser.

What is an X.509 Certificate?

An X.509 certificate is the digital document that powers HTTPS and TLS. It binds a public key to an identity — a domain name, organization, or person — and is signed by a trusted Certificate Authority (CA) so that anyone can verify the binding. When your browser shows a padlock, it has validated the site's X.509 certificate against this chain of trust.

Certificates are usually stored and shared in PEM format: a Base64-encoded block wrapped between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- markers. This decoder parses that block locally in your browser and shows you everything inside it.

How to Use This Tool

  1. Copy your certificate, including the BEGIN/END lines, and paste it into the box.
  2. Click Decode Certificate.
  3. Review the subject, issuer, validity window, Subject Alternative Names, key type, and fingerprints.

What the Fields Mean

Common Uses

Use a certificate decoder to confirm a certificate covers the right domains before deploying, to check expiry dates, to verify a CSR was issued correctly, to read the SANs on a multi-domain certificate, or to grab the SHA-256 fingerprint for certificate pinning. It is also handy for troubleshooting chain and trust problems where you need to see exactly who signed what.

Frequently Asked Questions

It accepts X.509 certificates in PEM format — the Base64 text block that begins with -----BEGIN CERTIFICATE----- and ends with -----END CERTIFICATE-----. This is the most common format used by web servers and Certificate Authorities. If you have a binary DER (.cer/.der) or PKCS#12 (.pfx) file, convert it to PEM first.
The subject identifies the entity the certificate was issued to — for a website, this includes the domain name. The issuer identifies the Certificate Authority that signed and issued the certificate. For a self-signed certificate the subject and issuer are identical, since the entity signed its own certificate.
SANs are the list of host names (and sometimes IP addresses) that a certificate is valid for. Modern browsers validate a connection against the SAN list rather than the Common Name, so a certificate must list every domain it protects as a SAN. A single certificate can secure many domains by including them all here.
A fingerprint is a hash (commonly SHA-256 or SHA-1) of the entire certificate, producing a short unique identifier. It is used to verify you are looking at exactly the right certificate — for example, when pinning a certificate in an application or comparing what a server presents against an expected value. Even a one-byte change to the certificate produces a completely different fingerprint.
No. Decoding happens entirely in your browser with JavaScript. The certificate you paste is parsed locally and is never sent to a server. Certificates are public by nature, but it is still good practice to keep all processing client-side, which this tool does.

Related Tools

SSL Certificate Checker

Check a live website's certificate expiry and chain.

CSR Decoder

Decode a Certificate Signing Request and view its fields.

CSR Generator

Generate a CSR and private key in your browser.
Copied to clipboard!