Certificate for {{ summaryCN }}
{{ summaryIssuer }}
Valid from {{ validFrom }} Valid to {{ validTo }}
Certificate (PEM)
  • {{ k }}
    {{ v }}
#DNS / IP
{{ i+1 }}{{ n }}
 

                

            


            
            
{{ error }}


        

    

                

                

                    

                        

                            Categories:
                                                            
                                    Encoder / Decoder
                                
                                ,                                                             
                                    Networking
                                
                                ,                                                             
                                    Security
                                
                                ,                                                             
                                    Validator
                                
                                                                                    

                        

                            Export to PDF
                            Fullscreen
                        

                    

                

            

        

    


    
    

        

        

            


                

                    

                    
                


                

                

                
            

        

    


    
    

        


  
  
X.509 certificates bind a public-key to an entity and identify the issuing Certificate Authority (CA).  Encoded in Privacy-Enhanced Mail (PEM) format, each block carries human-readable delimiters and Base64 text representing the certificate’s ASN.1 structure.

  
This decoder accepts a pasted or uploaded PEM block, parses its fields with a client-side cryptographic engine, and renders subject, issuer, validity period, serial number, signature algorithm, subject-alternative names, and SHA-256 fingerprint.  All processing occurs locally in your browser.

  
Use it to confirm that a server’s certificate matches its hostname before trusting a connection or storing credentials.  *Always verify that the “Valid To” date has not passed and that the fingerprint matches the official record from your CA.*






  
Technical Details:


  
  
X.509 specifies the data model for digital certificates used in TLS, S/MIME, and code-signing.  A certificate contains Distinguished Name (DN) attributes, validity timestamps, the subject’s public-key, optional extensions such as Subject Alternative Name (SAN), and a CA signature that binds the data to a trust hierarchy.  Decoding reveals these components so you can inspect trust anchors, expiry windows, and domain coverage.


  
  
    
    
  1. Strip BEGIN/END markers and Base64-decode the body.
    2. 
    
  2. Convert the binary DER to an ASN.1 object.
    3. 
    
  3. Extract DN, serial, validity, and extension fields.
    4. 
    
  4. Generate the SHA-256 fingerprint by hashing the DER bytes and formatting as colon-separated hex.
    5. 
  


  
  

    

      
ParameterMeaning

      
        
CNCommon Name—primary hostname or identity.

        
Issuer CNCA that signed the certificate.

        
Valid From / ToISO timestamps defining the trust window.

        
Serial NumberUnique identifier assigned by the CA.

        
Signature AlgOID of the algorithm used to sign.

        
SANAlternate DNS names or IP addresses.

        
SHA-256 FingerprintDigest uniquely identifying the certificate.

      
    

  


  
  

    
SHA-256 fingerprint derivation:

    
      
        hash(DER)
        =
        SHA-256(b₀…bₙ)
      
    
    
Output: 3A:91:4F:…:C7 (colon-separated hex).

  


  
  
    
    
  • Covers only single certificates, not full chains.
    • 
    
  • Self-signed certificates may appear valid here but are untrusted without a root anchor.
    • 
    
  • Ignores revocation lists (CRL / OCSP).
    • 
    
  • Displays OID values verbatim; mapping to friendly names may vary.
    • 
  


  
  
    
    
  • PEM without correct delimiters triggers a format error.
    • 
    
  • DER encoded in PKCS#7 envelopes is not supported.
    • 
    
  • Certificates using uncommon character sets may display garbled text.
    • 
    
  • Large SAN arrays can exceed clipboard limits when copied as CSV.
    • 
  


  
  
Concept validated by ITU-T X.509 (2019), RFC 5280, and NIST SP 800-57.  Digest generation follows FIPS 180-4 SHA-2 specification.


  
  
No personal data is processed; decoding occurs entirely within the user’s browser and is therefore GDPR-friendly.






  
Step-by-Step Guide:

  
Follow these actions to decode a certificate quickly:

  
    
    
  1. Paste the -----BEGIN CERTIFICATE----- block into the text area or upload a .pem/.crt/.cer file.
    2. 
    
  2. Select Decode; the reactive engine parses and displays results.
    3. 
    
  3. Switch tabs—Info, SAN, JSON—to explore specific data views.
    4. 
    
  4. Choose Copy CSV, Download CSV, or Download JSON for offline records.
    5. 
    
  5. If needed, tap Clear to remove all data and start again.
    6. 
  






  
FAQ:


  

    Is my data stored?
    
No. All parsing is client-side; nothing leaves your browser.

  


  

    Can I decode DER files?
    
Convert DER to PEM with openssl x509 -inform DER -in cert.der -out cert.pem, then use this tool.

  


  

    What if the certificate is expired?
    
The Valid To date will appear in red; obtain a renewed certificate from your CA before deployment.

  


  

    How is the fingerprint formatted?
    
The digest is shown as uppercase hex octets separated by colons, matching common TLS inspection tools.

  


  

    Why do I see “Input must be PEM”?
    
The decoder requires the BEGIN/END delimiters. Ensure you include them or select a correct file.

  






  
Glossary:

  

    
ASN.1
Abstract syntax used to define certificate structure.

    
CA
Certificate Authority that signs and issues certificates.

    
DER
Binary Distinguished Encoding Rules representation.

    
Fingerprint
Hash uniquely identifying a certificate instance.

    
SAN
Subject Alternative Name extension listing extra domains.

  







  
No data is transmitted or stored server-side.