Free X.509 Certificate Decoder — Read and Analyze SSL/TLS Certificates Online
Paste any PEM or raw Base64-encoded certificate and see every field extracted
and formatted. Our certificate parser runs entirely in your browser using a
client-side ASN.1 decoder — nothing is uploaded, no account is required, and
there is no limit on usage.
What the Certificate Decoder Extracts
Uploading a PEM certificate (the kind you get from -----BEGIN CERTIFICATE-----
through -----END CERTIFICATE-----) reveals:
- Serial number in hexadecimal format — the unique identifier assigned by
the issuing CA, useful for revocation checking and audit logs. - Validity period — both
notBeforeandnotAfterdates with an automatic
calculation of days remaining. Expired certificates and those expiring within
30 days are clearly flagged. - Subject Distinguished Name — the full X.500 directory name with each
Relative Distinguished Name attribute shown alongside its OID. - Issuer Distinguished Name — who issued the certificate, parsed attribute
by attribute. Useful for verifying chain-of-trust and confirming the correct
intermediate CA. - Subject Alternative Names — every DNS name and IP address covered by this
certificate. Essential for confirming wildcard coverage and multi-domain
certificates. - Public key — algorithm family (RSA or Elliptic Curve), key size, and EC
curve name when applicable. Verify that your certificate meets minimum key
length requirements. - Signature algorithm — the algorithm the CA used to sign this certificate,
displayed as both the OID dotted string and the common name (e.g.
sha256WithRSAEncryption). - SHA-256 fingerprint — computed from the DER body and displayed for
Certificate Transparency log cross-referencing.
When to Use an SSL Certificate Decoder
A TLS certificate parser helps in several real-world situations:
- Inspect a certificate before installation — after receiving a signed
certificate from a Certificate Authority, decode it to confirm the CN, SANs,
key type, and validity window are correct before deploying to production. - Debug chain-of-trust issues — when a browser reports an untrusted
connection, decode each certificate in the chain to identify missing
intermediates or expired cross-signatures. - Verify certificate transparency — copy the SHA-256 fingerprint and search
crt.shto confirm the certificate appears in public CT logs. - Check key compliance — organizational policies often mandate minimum RSA
2048-bit keys or prohibit certain signature algorithms (e.g. SHA-1). Use the
decoder to audit compliance on any certificate file. - Prepare for migration — when moving from RSA to ECDSA certificates or
switching CAs, verify that newly issued certificates match the expected
parameters before cutting over traffic.
Input Format Support
The tool auto-detects your input format:
- PEM — standard
-----BEGIN CERTIFICATE-----/-----END CERTIFICATE-----
with Base64 body. This is the default output of most CAs, web servers, and
the OpenSSL command line. - Raw Base64 — the DER body encoded in Base64 without PEM headers. Useful
when you’ve extracted the certificate data programmatically.
Privacy and Security
The entire decoding process runs inside your web browser using JavaScript.
Certificate data is never transmitted to any server. You can safely decode
internal PKI certificates, production server certificates, and private CA
material without exposing sensitive information to a third party.
OpenSSL Alternative
The command-line equivalent is:
openssl x509 -in crtmgr.com.crt -noout -text
Our web tool produces the same information with structured formatting and
click-to-copy fields, making documentation and sharing easier.
Related Tools
- SSL Certificate Checker — query a live domain and see the
certificate it’s currently serving, including days-remaining countdown and SANs. - Certificate Converter — switch between PEM and raw Base64
formats for use in Kubernetes Secrets, Terraform variables, or API integrations. - CSR Decoder — decode a Certificate Signing Request to verify
the subject and public key before submitting it to a Certificate Authority.