What is an SSL certificate?

SSL certificate is a digital document that verifies website identity and enables encrypted connections. It contains: domain name, issuer (CA), validity dates, public key, and signature. Certificates create trust for HTTPS connections.

How do I check if a certificate is valid?

Check: valid date range (not expired), matches the domain name, issued by trusted CA, proper chain of trust, and correct key usage. Expired or mismatched certificates cause browser warnings and connection failures.

What's certificate chain of trust?

Certificate chain: root CA (trusted by browsers) -> intermediate CA -> server certificate. Each certificate signs the next. Browsers trust root CAs directly. Missing intermediates break the chain and cause trust errors.

Certificate Decoder - Decode SSL/TLS Certificates

Certificate (PEM format)

Decode X.509 SSL/TLS certificates to view issuer, subject, validity, public key info, and fingerprints. Works entirely in your browser - your data stays private.

What is SSL Certificate Decoder?

SSL Certificate Decoder extracts and displays all information from X.509 SSL/TLS certificates in PEM format. Certificates contain issuer identity, subject details, validity dates, public key information, extensions, and fingerprints. Decoding helps verify certificate authenticity, check expiration, inspect certificate chain, and troubleshoot SSL/TLS connection issues.

How to Use

Paste certificate in PEM format (-----BEGIN CERTIFICATE-----)
Click Decode to parse certificate
View basic info: version, serial, algorithm, validity
Inspect issuer and subject details
Check public key and fingerprint hashes
Review extensions and certificate constraints

Why Use This Tool?

Decode X.509 certificates without OpenSSL

View complete certificate details in readable format

Check validity period and expiration status

Verify issuer and subject identity

Copy fingerprints for certificate pinning

Inspect extensions (key usage, SAN, constraints)

Tips & Best Practices

PEM format starts with -----BEGIN CERTIFICATE-----
Check validity dates before deploying certificates
SHA-256 fingerprint preferred for pinning
Critical extensions must be understood by client
Subject Alternative Name (SAN) lists valid domains
Certificate chain requires decoding each certificate

Frequently Asked Questions

What is PEM format?

PEM (Privacy Enhanced Mail) is Base64-encoded certificate with header -----BEGIN CERTIFICATE----- and footer -----END CERTIFICATE-----. Most certificates from Certificate Authorities (Let's Encrypt, DigiCert) come in PEM format. It's text-based, portable, and widely supported.

What information does a certificate contain?

Version (usually 3), serial number (unique identifier), signature algorithm (SHA256-RSA), issuer (CA that signed it), validity dates, subject (entity certified), public key (RSA/ECDSA), extensions (key usage, SAN, constraints), and fingerprints (SHA-1, SHA-256 hashes).

What are certificate fingerprints?

Fingerprints are unique hashes of certificate content. SHA-1 (20 bytes) and SHA-256 (32 bytes) fingerprints identify certificates. Used for certificate pinning in mobile apps, verifying certificate authenticity, and matching certificates in logs or databases.

What are critical extensions?

Critical extensions must be processed and understood by the certificate validator. If a client doesn't recognize a critical extension, it must reject the certificate. Basic Constraints and Key Usage are typically critical. Non-critical extensions can be ignored safely.

How do I check if a certificate is expired?

Check Valid From and Valid To dates. The tool shows validity status (valid/invalid). Certificates expire after Valid To date. Most browsers reject expired certificates. Renew certificates before expiration (Let's Encrypt: 90 days, commercial: 1-2 years).

Can I decode certificate chains?

Yes - paste each certificate in the chain separately. Certificate chains include server certificate, intermediate certificates, and root CA. Each certificate in the chain has different issuer/subject. Verify chain完整性 by matching subject-to-issuer links.

Certificate Decoder