Certificate Decoder
Decode a PEM-encoded X.509 SSL/TLS certificate: subject, issuer, validity, SANs, and fingerprints.
Overview
Subject Alternative Names
Details
Fingerprints
About this tool
Paste a PEM certificate (the block between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----) to see who it was issued to and by, when it expires, which domains it covers (Subject Alternative Names), the public key algorithm, and its SHA-256/SHA-1 fingerprints.
Everything is decoded in your browser with a built-in ASN.1/DER parser — the certificate is never uploaded anywhere.
Frequently asked questions
Is it safe to paste a production certificate here?+
Yes — a certificate is public by design; it is handed to every client during the TLS handshake, and decoding happens locally anyway. What you must never paste anywhere is the private key (-----BEGIN PRIVATE KEY-----).
What is the difference between PEM and DER?+
DER is the raw binary encoding; PEM is the same bytes wrapped in Base64 with BEGIN/END markers so it survives copy-paste. This tool reads PEM.
Why does the browser still distrust a certificate that looks valid here?+
Validity dates and fields being correct is not enough — browsers also verify the signature chain up to a trusted root CA. A self-signed or wrongly-chained certificate decodes fine but fails trust. This tool decodes the single certificate you paste; it does not validate the chain.
What are fingerprints used for?+
A fingerprint is the hash of the whole certificate — a quick identity check. Use it to confirm the deployed certificate matches the one you issued, or for certificate pinning configs.