What is SSL Certificate Decoder?

SSL Certificate Decoder parses PEM-encoded X.509 certificates and shows every field — subject, issuer, validity dates, SANs, key usage, and fingerprints. Use it to debug HTTPS issues or verify certificate details before deployment.

The decoder strips the PEM headers, base64-decodes the payload, and walks the X.509 ASN.1 structure to extract every field — subject DN, issuer DN, serial, validity window, public key parameters, signature algorithm, key usage extensions, EKU, SANs, basic constraints, and SHA-1/SHA-256 fingerprints. No data leaves the page, which matters when the cert chain includes internal hostnames you don't want logged on a third-party site.

How to use

1. Paste a PEM-encoded certificate (the text between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----).
2. View the decoded fields: subject, issuer, serial number, validity period, SANs, and key details.
3. Check expiration status and copy individual fields or the full decoded output.

When to use

• Verifying a freshly issued cert covers every domain in the SAN list before deploying.
• Debugging a HTTPS handshake failure by comparing the actual cert against expected fingerprints.
• Auditing an internal CA chain for weak signature algorithms or unsafe key usage flags.

Result

A DevOps engineer receives a new wildcard certificate for *.example.com. They paste the PEM here to verify the SANs include all expected domains, confirm the expiry date is 1 year out, and check the signature algorithm is SHA-256.

FAQ

Does the certificate or its contents leave my browser?

No. Parsing runs locally — no network request is made when you click decode. This matters if your certificate exposes internal hostnames (intranet.acme.local) or a private CA name that you don't want appearing in third-party server logs.

What's the difference between SHA-1 and SHA-256 fingerprints?

Both are hashes of the full DER-encoded certificate. SHA-1 is the older 160-bit fingerprint many tools still display; SHA-256 is the modern 256-bit one. They identify the same certificate — use whichever your monitoring tool expects.

How do I tell if a cert is self-signed?

Compare the Subject and Issuer fields. If they match exactly, the certificate is self-signed (it signed itself). Browsers won't trust self-signed certs by default — they're fine for internal services where you control the trust store, but not for public sites.

Why does my cert say 'Not Yet Valid'?

The current time falls before the certificate's notBefore date. Either the CA dated the cert in the future, or your local clock is wrong. Check your system time first — a few hours of drift often breaks HTTPS in CI containers and embedded devices.

What does the Key Usage field mean?

It restricts how the public key can legally be used. 'Digital Signature' and 'Key Encipherment' are typical for TLS server certs. 'CRL Sign' and 'Certificate Sign' mark a CA. If a server cert has CA flags, something is misconfigured and clients may refuse it.

Related Tools