X.509 Certificate Decoder

Security

Decode X.509 certificates in PEM or DER format instantly in your browser. View subject, issuer, SAN, validity dates, public key, and all extensions.

All decoding happens entirely in your browser via a custom ASN.1 DER parser — certificates never leave your device.

PEM Certificate

Paste a PEM-encoded X.509 certificate and click Decode

Certificate Details

Decoded certificate will appear here

About X.509 Certificate Decoder

The X.509 Certificate Decoder parses SSL/TLS certificates encoded in PEM (base64 armored) or binary DER format and presents every field in a human-readable layout. Instantly inspect the subject distinguished name, issuer chain, serial number, validity window, Subject Alternative Names (SANs), signature algorithm, public key algorithm and size, key usage flags, extended key usage, and every other extension present in the certificate — all without installing OpenSSL or any local tooling.

Features

✓Accepts PEM certificates (-----BEGIN CERTIFICATE----- blocks) and raw DER binary
✓Displays full subject and issuer Distinguished Names broken down by component (CN, O, OU, C, ST, L)
✓Shows certificate serial number in both hexadecimal and decimal
✓Parses notBefore / notAfter validity dates and highlights expired or soon-to-expire certificates
✓Lists all Subject Alternative Names (DNS, IP, URI, email) from the SAN extension
✓Decodes public key info: algorithm (RSA, EC, Ed25519), bit size, curve name
✓Renders key usage and extended key usage flags in plain English
✓Displays Authority Key Identifier, Subject Key Identifier, and CRL Distribution Points
✓Shows certificate fingerprints in SHA-1 and SHA-256
✓Supports multi-certificate PEM bundles and shows each certificate individually
✓100 % client-side processing — certificate data never leaves your browser

Common Use Cases

Auditing SSL/TLS certificates before deployment to production servers
Verifying that a certificate covers the correct hostnames via SANs
Checking certificate expiry dates during incident response or monitoring setup
Confirming the signing CA and certificate chain without a command-line environment
Inspecting client certificates in mutual TLS (mTLS) configurations
Validating code-signing certificates and their extended key usage fields
Reviewing certificates embedded in JWT or SAML assertions
Teaching X.509 structure and PKI concepts to developers and students

Frequently Asked Questions

QWhat is an X.509 certificate?

X.509 is the ITU-T standard defining the format of public-key certificates. It is the basis of SSL/TLS, S/MIME, code signing, and many other PKI systems. Each certificate binds a public key to an identity (subject) and is signed by a Certificate Authority.

QWhat is the difference between PEM and DER formats?

DER (Distinguished Encoding Rules) is the raw binary ASN.1 encoding of a certificate. PEM is the same data base64-encoded and wrapped in -----BEGIN CERTIFICATE----- / -----END CERTIFICATE----- header and footer lines. PEM is the most common format used in web servers and tools like OpenSSL.

QIs my certificate data sent to a server?

No. All decoding happens entirely within your browser using JavaScript. The certificate bytes never leave your machine, making the tool safe to use with real production certificates.

QWhat are Subject Alternative Names and why do they matter?

Subject Alternative Names (SANs) list every hostname, IP address, or email address that the certificate is authorised to authenticate. Modern browsers ignore the Common Name (CN) field for hostname validation and rely exclusively on the SAN extension, so checking SANs is critical when troubleshooting TLS errors.

QCan I decode a certificate chain (full-chain.pem)?

Yes. Paste a PEM file containing multiple certificates (as produced by Let's Encrypt or nginx full-chain bundles) and the tool will parse and display each certificate separately in order.

QHow do I get the PEM of a live TLS site?

Run `openssl s_client -connect example.com:443 </dev/null 2>/dev/null | openssl x509 -outform PEM`, or use your browser's padlock → View Certificate → export option. Then paste the PEM text into this decoder.

X.509 Certificate Decoder

Security

Decode X.509 certificates in PEM or DER format instantly in your browser. View subject, issuer, SAN, validity dates, public key, and all extensions.

All decoding happens entirely in your browser via a custom ASN.1 DER parser — certificates never leave your device.

PEM Certificate

Paste a PEM-encoded X.509 certificate and click Decode

Certificate Details

Decoded certificate will appear here

About X.509 Certificate Decoder

Features

✓Accepts PEM certificates (-----BEGIN CERTIFICATE----- blocks) and raw DER binary
✓Displays full subject and issuer Distinguished Names broken down by component (CN, O, OU, C, ST, L)
✓Shows certificate serial number in both hexadecimal and decimal
✓Parses notBefore / notAfter validity dates and highlights expired or soon-to-expire certificates
✓Lists all Subject Alternative Names (DNS, IP, URI, email) from the SAN extension
✓Decodes public key info: algorithm (RSA, EC, Ed25519), bit size, curve name
✓Renders key usage and extended key usage flags in plain English
✓Displays Authority Key Identifier, Subject Key Identifier, and CRL Distribution Points
✓Shows certificate fingerprints in SHA-1 and SHA-256
✓Supports multi-certificate PEM bundles and shows each certificate individually
✓100 % client-side processing — certificate data never leaves your browser

Common Use Cases

Auditing SSL/TLS certificates before deployment to production servers
Verifying that a certificate covers the correct hostnames via SANs
Checking certificate expiry dates during incident response or monitoring setup
Confirming the signing CA and certificate chain without a command-line environment
Inspecting client certificates in mutual TLS (mTLS) configurations
Validating code-signing certificates and their extended key usage fields
Reviewing certificates embedded in JWT or SAML assertions
Teaching X.509 structure and PKI concepts to developers and students

Frequently Asked Questions

QWhat is an X.509 certificate?

QWhat is the difference between PEM and DER formats?

QIs my certificate data sent to a server?

No. All decoding happens entirely within your browser using JavaScript. The certificate bytes never leave your machine, making the tool safe to use with real production certificates.

QWhat are Subject Alternative Names and why do they matter?

QCan I decode a certificate chain (full-chain.pem)?

Yes. Paste a PEM file containing multiple certificates (as produced by Let's Encrypt or nginx full-chain bundles) and the tool will parse and display each certificate separately in order.

QHow do I get the PEM of a live TLS site?

X.509 Certificate Decoder

Related Tools

About X.509 Certificate Decoder

Features

Common Use Cases

Frequently Asked Questions

See Also

X.509 Certificate Decoder

Related Tools

About X.509 Certificate Decoder

Features

Common Use Cases

Frequently Asked Questions

See Also