SSL Certificate Decoder: how to read a certificate

What this tool does

The SSL Certificate Decoder reads an X.509 certificate in PEM format and lays out its contents in plain language: who it's for, who issued it, when it's valid, which hostnames it covers, the key details, and its fingerprints. The parsing is done entirely in your browser with a bundled crypto library.

How to use it

1. Open the Certificate Decoder.
2. Paste the certificate, including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines (or press Load sample).
3. Click Decode and read the breakdown.

To grab a live site's certificate on the command line: echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509, then paste the PEM here.

Reading the fields

• Common Name / Subject — who the certificate identifies.
• Issuer — the certificate authority that signed it.
• Valid from / to — the lifetime; the banner flags expired or soon-to-expire certificates.
• Subject Alternative Names — the hostnames it actually covers; browsers match on these, not the Common Name.
• Public key — algorithm and size (e.g. RSA 2048-bit).
• Fingerprints — SHA-1 and SHA-256 hashes used to identify or pin the exact certificate.

Common checks

• Confirming a certificate hasn't expired (or won't soon).
• Checking the right hostnames are in the SAN list.
• Verifying you installed the certificate you expected by matching the fingerprint.
• Identifying the issuing CA when debugging trust errors.

Your certificate stays private

Certificates are public by nature, but this tool still parses everything locally — nothing is uploaded — so it's equally safe for internal or pre-issuance certificates.

FAQ

Is my certificate uploaded?

No — it's parsed entirely in your browser.

What is PEM?

The Base64 text format between BEGIN/END CERTIFICATE lines that servers and CAs provide.

What are SANs?

Subject Alternative Names — the hostnames the certificate is valid for.

Need the reverse? Try the Certificate to CSR tool, or open the Certificate Decoder →