Is my certificate sent to a server?

No. All decoding runs in your browser using JavaScript (node-forge). Your certificate data never leaves your device.

What format does the certificate need to be in?

Paste the PEM-encoded certificate, which starts with -----BEGIN CERTIFICATE----- and ends with -----END CERTIFICATE-----. DER (binary) format is not supported directly — convert it to PEM first with: openssl x509 -inform DER -in cert.der -out cert.pem

How do I get the PEM certificate from my server?

Run: openssl s_client -connect yourdomain.com:443 -showcerts /dev/null | openssl x509 -outform PEM — then copy the output.

What is a Subject Alternative Name (SAN)?

SANs list all the domain names (and IP addresses) the certificate is valid for. A wildcard SAN like *.example.com covers one subdomain level. Modern certificates use SANs rather than the CN field to specify covered domains.

What does "Days Until Expiry" mean?

It shows how many days remain before the certificate expires. A negative number means the certificate has already expired. Browsers will show security warnings for expired certificates.

Why is SHA-1 flagged as weak?

SHA-1 is a deprecated signature algorithm. Major browsers have distrusted SHA-1 certificates since 2017. If your certificate uses SHA-1, you should request a new one using SHA-256 or stronger.

SSL Certificate Decoder

Name: SSL Certificate Decoder
Availability: InStock
Author: Nham Vu

Paste a PEM certificate to decode its subject, issuer, SANs, validity dates, serial number, and key info — all client-side.

PEM Certificate

How to get your certificate:

openssl s_client -connect example.com:443 </dev/null 2>/dev/null | openssl x509 -outform PEM

No certificate decoded yet

Paste a PEM certificate on the left and click Decode

Copied!

Summary

Paste a PEM certificate to decode its subject, issuer, SANs, validity dates, serial number, and key info — all client-side.

How it works

Copy the PEM certificate (the -----BEGIN CERTIFICATE----- block) from your server or browser.
Paste it into the text area on this page.
Click "Decode Certificate" to parse the X.509 structure using the node-forge library in your browser.
Review the decoded fields: subject, issuer, SANs, validity dates, and more.
All parsing happens locally — your certificate data never leaves your device.

Use cases

Verify a newly issued certificate before deploying it to production.
Confirm the Subject Alternative Names cover all required domains.
Check expiry dates on certificates that are approaching renewal.
Inspect issuer chain details for troubleshooting SSL handshake errors.
Audit certificate serial numbers for compliance records.
Validate the signature algorithm meets current security standards (e.g., SHA-256).
Quickly read a certificate downloaded from a vendor or partner.

Frequently Asked Questions

Last updated: 2026-06-09 · Reviewed by Nham Vu