X.509 Certificate Decoder

Paste a PEM certificate (the block that starts with -----BEGIN CERTIFICATE-----) to read its subject, issuer, validity dates, Subject Alternative Names, key, and SHA-256 fingerprint. Everything is decoded in your browser, so it is safe to paste internal, staging, or client certificates that should never be uploaded to a website.

PEM certificate (or a full chain)

What a certificate holds, and what this does and does not check

What is inside an X.509 certificate

A certificate (defined by RFC 5280) is a signed statement that binds a public key to an identity. The signed part, called the tbsCertificate, carries the version, a serial number, the signature algorithm, the issuer name, a validity window (notBefore and notAfter), the subject name, the subject's public key, and a set of extensions. All of it is encoded in ASN.1 DER, a compact binary format, which is then base64-wrapped between the BEGIN and END lines to make the PEM text you paste here.

The subject, the issuer, and the chain

The subject is who the certificate is for, and the issuer is the certificate authority that signed it. If the two names match, it is self-signed (common for internal and development certificates). On the public web a certificate usually chains up through one or more intermediate certificates to a root the operating system already trusts. You can paste several BEGIN CERTIFICATE blocks at once and each is decoded and stacked, which is handy for inspecting a full chain a server returned.

Subject Alternative Names

Modern clients match the hostname against the Subject Alternative Name extension (SAN), not the legacy subject Common Name. A certificate can list many dNSName entries, including wildcards like *.example.com, so one certificate covers several hosts. This tool decodes the dNSName entries; a SAN can also carry IP addresses and other name types, which are noted but not the focus here.

Expiry

The notAfter date is when the certificate stops being valid. This page reads it and shows the days remaining, flagging anything already expired or inside the last 30 days. A short window is worth a closer look, but renewal automation often replaces certificates close to the edge, so an approaching date is a prompt to check rather than proof of a problem.

It decodes, it does not validate trust

This is a structural decoder, not a trust checker. It reads what the certificate claims about itself. It does not verify the issuer's signature, does not walk the chain to a trusted root, does not check revocation (CRL or OCSP), and does not confirm the key matches a private key. A certificate can decode cleanly here and still be untrusted, revoked, or wrong for a given host. To check live trust, use your browser's certificate viewer or a server-side validator. The SHA-256 fingerprint shown is computed over the full DER and is the value most tools use to pin or compare a certificate.