Decode a PEM Certificate

What Is a PEM Certificate?

PEM (Privacy-Enhanced Mail) is the most common encoding format for SSL/TLS certificates. A PEM file is simply a Base64-encoded DER certificate wrapped between two distinctive header and footer lines:

-----BEGIN CERTIFICATE-----
MIIFjTCCA3WgAwIBAgIRANOxciY0IzLc9AUoUSrsnGowDQYJKoZIhvcNAQEL
BQAwTzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5
...
-----END CERTIFICATE-----

The BEGIN CERTIFICATE and END CERTIFICATE markers tell parsers where the certificate data starts and ends. Everything between these markers is a Base64 representation of the binary DER-encoded ASN.1 structure.

What Decoding Reveals

When you decode a PEM certificate, you extract all the embedded X.509 fields:

• Subject — the entity the certificate was issued to (domain name, organization)
• Issuer — the Certificate Authority (CA) that signed the certificate
• Validity Period — Not Before and Not After timestamps
• Public Key — the RSA, ECDSA, or Ed25519 public key
• Serial Number — a unique identifier assigned by the CA
• Extensions — Subject Alternative Names, Key Usage, Basic Constraints, and more

Decoding with OpenSSL

The standard command-line approach uses OpenSSL:

openssl x509 -in certificate.pem -text -noout

This prints all fields in a human-readable format. The -noout flag suppresses printing the raw Base64 again.

Common PEM File Extensions

PEM certificates may appear with several file extensions: .pem, .crt, .cer, or even .txt. The extension does not change the encoding — what matters is the BEGIN CERTIFICATE header. Some files bundle multiple certificates (a certificate chain) in a single PEM file, one after another.

Why Decode Certificates?

Decoding lets you verify that a certificate matches your domain, check the expiration date before it causes outages, confirm the issuing CA, and inspect extensions like Subject Alternative Names to see which domains are covered.