TLS Certificate Decoder

Decode PEM certificates locally — issuer, SANs, validity, fingerprints.

100% Private Instant Free Forever
PEM certificate
Decoded certificate

What is a TLS Certificate Decoder?

A TLS / SSL certificate decoder reads an X.509 certificate in PEM form (the human-readable -----BEGIN CERTIFICATE----- blocks served by every HTTPS website) and breaks it into its underlying ASN.1 fields — subject, issuer, validity window, public-key parameters, Subject Alternative Names, extensions, and the cryptographic fingerprints used to identify and pin it. If you've ever debugged a "certificate name does not match" error, juggled a Let's Encrypt renewal, or pasted a cert into openssl x509 -text -noout, you've done by hand exactly what this tool does in your browser in milliseconds.

What this tool shows

  • Subject and issuer Distinguished Names (CN, O, OU, L, ST, C).
  • Validity window with a colour-coded "days remaining" badge — green if you have more than 30 days, amber inside the renewal window, red once expired.
  • Public-key details — RSA modulus length or EC curve name, exponent, and algorithm OID.
  • Subject Alternative Names — DNS names, IP addresses, and URIs the certificate is valid for.
  • Extensions — Key Usage, Extended Key Usage, Basic Constraints (CA flag), and Authority Information Access URLs (where to fetch the issuer cert and OCSP responder).
  • Fingerprints — colon-delimited SHA-1 and SHA-256 hashes of the DER encoding, ready to paste into a CAA record, an HPKP pin, or a monitoring system.
  • Serial number in hexadecimal and the signature algorithm in friendly form (e.g. sha256WithRSAEncryption).

How it's different from openssl

openssl x509 is exhaustive but unfriendly: lots of noise, easy to miss the field you actually wanted. This decoder surfaces the fields developers and SREs check most often, formats them cleanly, and makes the entire structured output one click away as JSON for use in scripts or runbooks. It runs entirely in your browser — your PEM is never uploaded — so it's safe to use on internal CA bundles, client certs, and staging keys you wouldn't want crossing the public internet.

Privacy and accuracy

Parsing is performed locally with the open-source node-forge library loaded from a public CDN. SHA-1 and SHA-256 fingerprints are computed against the DER re-encoding of the parsed certificate, matching the values produced by openssl x509 -fingerprint.

Related Tools

JWK ↔ PEM Converter Convert RSA and EC keys between JWK and PEM, public or private. JWT Decoder Decode and inspect JWTs — header, payload, claims and expiry. Hash Generator Generate MD5, SHA-1, SHA-256, SHA-384, SHA-512 hashes from text or files.