An SSL certificate decoder lets you inspect the contents of any X.509/TLS certificate encoded in PEM format. Paste a certificate below to see the subject, issuer, validity dates, public key details, Subject Alternative Names (SANs), and all extensions — useful for debugging HTTPS issues, verifying certificate configuration, and understanding the certificate chain.
Paste PEM Certificate
Parse Error
Subject
Who the certificate is issued toIssuer
Certificate Authority that signed this certValidity Period
Public Key
Certificate Fingerprints
How to Use the SSL Certificate Decoder
SSL/TLS certificates are X.509 documents that bind a public key to an identity (a domain, organization, or person). Every HTTPS connection uses a certificate, and understanding what's inside them is essential for debugging TLS issues, verifying certificate configuration, and auditing security posture. This SSL certificate decoder parses any PEM-encoded certificate and displays all fields in a readable, structured layout.
Step 1: Get the PEM-Encoded Certificate
PEM is the standard text format for certificates — it starts with -----BEGIN CERTIFICATE----- and ends with -----END CERTIFICATE-----. You can obtain a certificate by running echo | openssl s_client -connect hostname:443 2>/dev/null | openssl x509 -outform PEM in a terminal, by clicking the lock icon in your browser and exporting the certificate, or by copying it from your server's SSL configuration directory.
Step 2: Paste and Decode
Paste the full PEM text including the header and footer lines. The decoder parses the certificate client-side using node-forge — no data is sent to any server. Click "Decode Certificate" (or use the Load Sample button to try an example) to see all fields.
Step 3: Understand the Output Sections
The decoded certificate is organized into labeled sections. The Subject shows who the certificate is issued to (CN = Common Name, O = Organization, C = Country). The Issuer shows the Certificate Authority that signed it. The Validity Period shows not-before/not-after dates with a status badge indicating whether the cert is currently valid. The Public Key section shows the algorithm (RSA or EC) and key size. SANs list all hostnames and IP addresses covered by the certificate.
Reading Certificate Extensions
Extensions carry critical security information. Basic Constraints (CA:TRUE/FALSE) determines if the cert can sign other certificates — end-entity certificates should always be CA:FALSE. Key Usage restricts what operations the key can perform (digitalSignature, keyEncipherment, etc.). Extended Key Usage further narrows the purpose to TLS Web Server Authentication, Client Authentication, or Code Signing. The CRL Distribution Points and Authority Info Access (OCSP URL) fields are used for certificate revocation checking.
Common Debugging Scenarios
Use the SSL certificate decoder to verify that a certificate covers the domain you expect (check SANs), confirm the issuer matches your expected CA, check if a certificate is expired or not yet valid, verify the key algorithm and size meet your security requirements (RSA 2048+ or ECDSA 256+), and confirm the certificate chain path (CA:TRUE in the Issuer section indicates an intermediate CA).
FAQ
Is this SSL certificate decoder free?
Yes, completely free. Paste any PEM-encoded certificate and decode it instantly. No account, no server upload — everything runs in your browser using the node-forge library.
Is my certificate data safe?
Yes. The certificate is parsed entirely in your browser using JavaScript. No data is sent to any server. Public certificates are not sensitive, but the tool works for private test certificates too.
What format does the certificate need to be in?
The tool accepts PEM-encoded certificates — the standard text format that starts with -----BEGIN CERTIFICATE----- and ends with -----END CERTIFICATE-----. This is the most common format used by web servers, certificate authorities, and SSL tools.
What is a Subject Alternative Name (SAN)?
SANs are additional hostnames, IP addresses, or email addresses that a certificate is valid for. Modern certificates use SANs instead of (or in addition to) the Common Name. A wildcard SAN like *.example.com covers all subdomains of example.com.
What does the Basic Constraints extension mean?
The Basic Constraints extension indicates whether the certificate is a CA (Certificate Authority) certificate that can sign other certificates (CA:TRUE) or an end-entity certificate that cannot (CA:FALSE). Intermediate CA certificates have CA:TRUE with a pathLen constraint limiting the depth of certificate chains.
How do I get a PEM certificate from my server?
You can get a certificate in several ways: run 'echo | openssl s_client -connect hostname:443 2>/dev/null | openssl x509 -outform PEM' in your terminal, export it from your browser's lock icon > Certificate details, or copy it from your web server's SSL configuration directory (e.g., /etc/ssl/certs/).
What is the difference between DV, OV, and EV certificates?
DV (Domain Validation) only verifies domain ownership — fastest and cheapest, used for most HTTPS sites. OV (Organization Validation) verifies the organization's legal existence — shown in certificate details. EV (Extended Validation) requires rigorous vetting of the organization and used to show the company name in the browser address bar (now less prominent in modern browsers).