DevToolbox

SSL Certificate Decoder

Paste a PEM-encoded certificate to decode and inspect its fields — subject, issuer, validity, serial number, signature algorithm, key info, and extensions.

About This Tool

The SSL Certificate Decoder parses PEM-encoded X.509 certificates entirely in your browser and displays their contents in a structured, readable format. X.509 certificates are the foundation of TLS/SSL security on the web — every HTTPS connection relies on them to establish trust between clients and servers. This tool lets you quickly inspect any certificate without installing OpenSSL or other command-line utilities.

When you paste a PEM certificate (the text between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- markers), the tool decodes the Base64 content into DER format and parses the underlying ASN.1 structure. It extracts the subject and issuer distinguished names, validity period with expiration status, serial number, signature algorithm, public key details (algorithm, size, and curve for EC keys), and all X.509v3 extensions including Subject Alternative Names (SANs), Key Usage, Basic Constraints, and more.

The tool also computes SHA-256 and SHA-1 thumbprints of the certificate using the Web Crypto API — useful for pinning or verification. Need to verify a hash value you already have? Use our Hash Generator to compute digests for any text or file. If your certificate is part of a JWT-based authentication flow, our JWT Decoder can help you inspect the tokens signed with the certificate's key.

All parsing and decoding happens client-side using JavaScript's built-in atob() function and the Web Crypto API for thumbprint computation. Your certificate data is never sent to any server, making this tool safe for inspecting production certificates, private CA certificates, and any other sensitive cryptographic material.

How to Use

  1. Paste your PEM-encoded certificate into the text area. The certificate must include the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- markers.
  2. The certificate is automatically parsed and decoded. Review the subject, issuer, and validity information displayed in color-coded cards.
  3. Check the status badges at the top for a quick summary: certificate version, algorithm, validity status, and whether it is self-signed.
  4. Scroll down to view technical details including serial number, public key info, and SHA-256/SHA-1 thumbprints.
  5. Review the Extensions section for X.509v3 extensions such as Subject Alternative Names, Key Usage, and Basic Constraints.
  6. Click Copy or press Ctrl+Shift+C to copy the decoded certificate fields as JSON.
  7. Click Sample to load an example certificate and explore the tool's output.

FAQ

Is my data safe?

Yes. All certificate parsing runs entirely in your browser using JavaScript. No data is sent to any server, and nothing is logged or stored. This makes it safe to decode production certificates and private CA certificates.

What certificate formats are supported?

This tool supports PEM-encoded X.509 certificates. PEM is the most common format and uses Base64 encoding between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- markers. If you have a DER (binary) certificate, you need to convert it to PEM first using a tool like OpenSSL: openssl x509 -inform der -in cert.der -out cert.pem

Can I decode certificate chains?

Currently, the tool decodes the first certificate found in the input. If you paste a chain (multiple certificates), only the first one is parsed. To inspect each certificate in a chain, paste them one at a time.

What is a self-signed certificate?

A self-signed certificate is one where the subject and issuer are the same entity — the certificate is signed by its own private key rather than by a Certificate Authority (CA). Self-signed certificates are commonly used for development, testing, and internal services.

How are the thumbprints calculated?

The SHA-256 and SHA-1 thumbprints are computed by hashing the entire DER-encoded certificate using the Web Crypto API. These thumbprints uniquely identify a certificate and are commonly used for certificate pinning and verification.

What are X.509 extensions?

X.509v3 extensions add additional information to a certificate beyond the basic fields. Common extensions include Subject Alternative Name (SAN) for listing additional domain names, Key Usage for specifying allowed cryptographic operations, Basic Constraints for indicating whether the certificate is a CA, and Authority Information Access for OCSP and CA issuer URLs.

Related Tools

JWT Decoder

Decode JSON Web Tokens to inspect header, payload, and verify signatures.

Hash Generator

Generate MD5, SHA-1, SHA-256, and SHA-512 hashes for text and files.

RSA Key Pair Generator

Generate RSA key pairs (2048/3072/4096-bit) in PEM format using the Web Crypto API. Entirely in-browser.

HMAC Generator

Generate HMAC signatures using MD5, SHA-1, SHA-256, SHA-384, and SHA-512 with hex or Base64 output.

Encryption Playground

Experiment with AES-GCM, AES-CBC, and RSA-OAEP encryption. Step-by-step visualization of the encryption process.