X.509 / SSL Certificate Decoder — PEM & DER Online Inspect PEM/DER certificates locally.
100% offline
Certificate
Paste a PEM, base64, or DER-hex certificate to decode it.

Parsed locally in your browser — your certificate is never uploaded.

About X.509 / SSL Certificate Decoder — PEM & DER Online

An X.509 certificate is the structured, signed document that proves the identity behind an HTTPS connection, a code signature, or a client login. Packed inside its ASN.1/DER bytes are the subject and issuer names, a validity window, a serial number, the public key, and extensions such as the Subject Alternative Names (SANs) that list every hostname the certificate covers.

This free X.509 certificate decoder parses a PEM or DER certificate and lays those fields out in plain language — subject, issuer, validity, serial, public key, SANs, key usage, and both SHA-1 and SHA-256 fingerprints. It is built for debugging TLS handshakes, inspecting certificate chains, and checking expiry before it bites you in production.

Decoding happens entirely in your browser using the Web Crypto API for fingerprints. Nothing you paste is ever uploaded, so it is safe to inspect internal or private certificates.

Features

  • Decode PEM, raw base64, or DER-hex certificates
  • See subject, issuer, validity, serial, and version at a glance
  • Surface all Subject Alternative Names (SANs), key usage, and basic constraints
  • SHA-1 and SHA-256 fingerprints computed locally with Web Crypto
  • Expiry badge flags valid, expired, or not-yet-valid certificates

How to use

  1. Paste a certificate — a "-----BEGIN CERTIFICATE-----" PEM block, bare base64, or DER hex.
  2. Read the decoded fields: subject, issuer, validity window, serial, and public key.
  3. Check the validity badge to confirm the certificate is still in date.
  4. Copy the SHA-256 fingerprint or any field with its copy button.

Frequently asked questions

What is the difference between PEM and DER?

DER is the raw binary ASN.1 encoding of a certificate. PEM is that same DER wrapped in base64 and bracketed by "-----BEGIN CERTIFICATE-----" / "-----END CERTIFICATE-----" lines so it can be pasted as text. This tool accepts both, plus a raw hex dump of the DER bytes.

Does decoding verify the certificate or its chain?

No. Decoding only reads the fields inside the certificate — it does not validate the signature, check revocation, or verify the issuing chain. Treat the output as informational, the same way openssl x509 -text does.

What is the fingerprint and why are there two?

A fingerprint is a cryptographic hash of the whole DER certificate, used to pin or identify it. SHA-256 is the modern default; SHA-1 still appears in older tooling and some pinning configs, so both are shown. They are computed locally from the bytes you paste.

Is it safe to paste a private or internal certificate?

Yes. All parsing and hashing run in your browser with no network calls, so the certificate never leaves your device. Note that a certificate only contains a public key — never paste a private key here.

What are SANs and why do they matter?

Subject Alternative Names list every hostname (and sometimes IP or email) a certificate is valid for. Modern browsers ignore the legacy Common Name and match only against SANs, so a missing or wrong SAN is a common cause of TLS hostname errors.

Related tools

CSR Decoder — Certificate Signing Request Inspect a Certificate Signing Request. JWT Decoder — Inspect JSON Web Tokens Online Decode and inspect JSON Web Tokens Hash Generator — SHA-256, SHA-1 & SHA-512 Online SHA-1, SHA-256 and SHA-512 digests Base64 Encode & Decode Online – Free Tool Encode and decode Base64 strings

Everything runs locally in your browser — your input is never uploaded.