SSL Certificate Decoder
Paste a PEM-encoded SSL certificate and instantly view its subject, issuer, validity dates, public key, fingerprint, and more. Fully client-side.
About SSL Certificate Decoder
An X.509 certificate contains a lot of information packed into a Base64-encoded block of ASN.1 data. This decoder parses PEM-encoded certificates directly in your browser and displays every important field in a readable format - subject, issuer, validity dates, public key details, signature algorithm, and SHA-256 fingerprint.
What the Decoder Shows
Paste a PEM certificate (the block between BEGIN CERTIFICATE and END CERTIFICATE) and the tool extracts all key fields:
| Field | What It Contains | Example |
|---|---|---|
| Version | X.509 version (almost always v3) | v3 |
| Serial Number | Unique identifier assigned by the CA | 04:E3:5C:7F:... (hex) |
| Signature Algorithm | Algorithm used to sign the certificate | SHA256withRSA, SHA384withECDSA |
| Issuer | The Certificate Authority that issued it | CN=Let's Encrypt R3, O=Let's Encrypt |
| Subject | Who the certificate was issued to | CN=example.com |
| Not Before | When the certificate became valid | 2025-01-15T00:00:00Z |
| Not After | When the certificate expires | 2025-04-15T23:59:59Z |
| Public Key | Key type, size, and algorithm | RSA 2048-bit, EC P-256 |
| SHA-256 Fingerprint | Hash of the entire certificate (DER form) | A1:B2:C3:D4:... (hex) |
A colour-coded banner shows whether the certificate is currently valid (green), expired (red), or not yet valid (amber). A visual timeline bar shows where today falls between the issue and expiry dates.
How the Decoder Works Internally
The decoding process happens entirely in your browser using JavaScript and the Web Crypto API:
| Step | What Happens |
|---|---|
| 1. Strip PEM headers | Remove the BEGIN/END CERTIFICATE lines and any whitespace |
| 2. Base64 decode | Convert the Base64 string to raw binary bytes (DER format) |
| 3. Parse ASN.1 | Walk the DER-encoded ASN.1 structure (TLV - Tag, Length, Value) |
| 4. Extract fields | Read each field from the TBSCertificate sequence |
| 5. Map OIDs | Convert numeric OIDs to human-readable names (e.g., 2.5.4.3 = Common Name) |
| 6. Compute fingerprint | Hash the raw DER bytes with SHA-256 using Web Crypto API |
Common Certificate Types
| Type | Validation Level | What the CA Verifies | Visual Indicator |
|---|---|---|---|
| DV (Domain Validated) | Basic | Applicant controls the domain (via DNS or HTTP challenge) | Padlock only |
| OV (Organisation Validated) | Medium | Domain control + organisation identity verified | Padlock, org name in certificate details |
| EV (Extended Validation) | High | Domain + org + legal entity verified through rigorous process | Padlock, org name visible in some browsers |
| Wildcard | Varies (usually DV) | Same as base type, covers *.example.com | Same as base type |
| Multi-domain (SAN) | Varies | Multiple domains listed in Subject Alternative Names | Same as base type |
Certificate Validity Periods
Certificate lifespans have been getting shorter over the years to improve security. Shorter validity periods mean compromised certificates expire faster and certificate revocation becomes less critical.
| Certificate Source | Typical Validity | Renewal Method |
|---|---|---|
| Let's Encrypt | 90 days | Automated via ACME protocol (certbot, acme.sh) |
| Commercial CA (DV/OV) | 1 year (398 days max) | Manual or automated renewal through the CA |
| Self-signed | Custom (often 1-10 years) | Manual regeneration |
| Internal / Private CA | Custom (often 2-5 years) | Depends on organisation policy |
The CA/Browser Forum set the maximum validity for publicly trusted certificates at 398 days (roughly 13 months) in 2020. Google has proposed reducing this further to 90 days, which would make automation essential for all websites.
Signature Algorithms
The signature algorithm determines how the certificate's integrity is verified. Modern certificates use one of these algorithms:
| Algorithm | Key Type | Common Key Sizes | Status |
|---|---|---|---|
| SHA256withRSA | RSA | 2048, 4096 bits | Current standard, widely supported |
| SHA384withRSA | RSA | 3072, 4096 bits | Higher security, slightly slower |
| SHA256withECDSA | EC (P-256) | 256 bits (equivalent to RSA 3072) | Modern, faster, smaller certificates |
| SHA384withECDSA | EC (P-384) | 384 bits | High security, used by some government CAs |
| SHA1withRSA | RSA | Various | Deprecated - browsers reject SHA-1 certificates |
ECDSA certificates are gaining popularity because they offer equivalent or better security than RSA with much smaller key sizes, resulting in faster TLS handshakes. Let's Encrypt now offers ECDSA certificates by default.
How to Get a Certificate for Decoding
If you want to decode a certificate from a live website, you can extract it using the command line:
| Method | Command / Steps |
|---|---|
| OpenSSL (command line) | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -outform PEM |
| Browser (Chrome/Firefox) | Click the padlock icon, then Connection is secure, then Certificate is valid, then Details tab, then Export/Copy |
| From a file | Open the .pem or .crt file in a text editor and copy the entire block including BEGIN/END lines |
For decoding Base64 strings outside of certificates, try the Base64 encoder and decoder. If you need to verify data integrity with hashes, the hash generator supports SHA-256 and other algorithms. All processing happens in your browser - your certificate data never leaves your device.
Frequently Asked Questions
What is a PEM certificate?
PEM is a text format for storing certificates, keys, and other cryptographic data. It starts with -----BEGIN CERTIFICATE----- and ends with -----END CERTIFICATE-----. The data between the headers is base64-encoded DER (binary certificate data).
Is my certificate data sent to a server?
No. This tool parses the certificate entirely in your browser using JavaScript. Nothing is uploaded or stored anywhere. You can disconnect from the internet and it will still work.
How do I get the PEM certificate for a website?
In most browsers, click the padlock icon in the address bar, view the certificate details, and export it as PEM. You can also use the command line with openssl s_client -connect example.com:443 to retrieve the certificate chain.
What does the SHA-256 fingerprint mean?
The fingerprint is a hash of the entire certificate in binary (DER) form. It uniquely identifies the certificate and is used to verify that the certificate has not been tampered with. Two different certificates will never share the same SHA-256 fingerprint.
Can this decode certificate chains or private keys?
This tool decodes a single X.509 certificate. It does not parse private keys (BEGIN PRIVATE KEY) or full certificate chains. If you paste a chain, only the first certificate will be parsed.
Link to this tool
Copy this HTML to link to this tool from your website or blog.
<a href="https://toolboxkit.io/tools/ssl-certificate-decoder/" title="SSL Certificate Decoder - Free Online Tool">Try SSL Certificate Decoder on ToolboxKit.io</a>