SSL/TLS Certificate Decoder
Paste a PEM certificate to extract the subject, issuer, validity period, serial number, SHA-256 fingerprint, and more — all in your browser.
Paste a PEM-encoded certificate and click Decode
Frequently Asked Questions
What is a PEM certificate?
PEM (Privacy Enhanced Mail) is the most common format for SSL/TLS certificates. It is a Base64-encoded DER (Distinguished Encoding Rules) certificate wrapped between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- headers. Web servers, load balancers, and most TLS tools use PEM files.
What fields does this tool extract?
The decoder extracts the Subject Common Name (CN), Issuer Common Name (CN), validity period (Not Before / Not After), serial number, SHA-256 fingerprint, certificate type (self-signed vs CA-signed), and a hex dump of the first 64 DER bytes. All parsing is done in pure JavaScript using a minimal ASN.1 DER parser.
What does self-signed mean?
A self-signed certificate is one where the Subject (the entity the cert belongs to) is the same as the Issuer (who signed it). Self-signed certs are common for internal use and development but are not trusted by browsers without manual installation. CA-signed certificates are issued by a trusted Certificate Authority.
Is it safe to paste my certificate here?
Yes. All decoding runs entirely in your browser — no data is sent to any server. SSL certificates are public by design; unlike private keys, a certificate can be safely shared. You can verify this by disabling your network connection and the tool will still work.
How do I get the PEM from my server?
Using OpenSSL on the command line: openssl s_client -connect example.com:443 -showcerts </dev/null | openssl x509 -outform PEM. Alternatively, on Linux/macOS your certificates are often found at /etc/ssl/certs/ or /etc/letsencrypt/live/. In Nginx/Apache configs, the ssl_certificate or SSLCertificateFile directive points to the PEM file.