X.509 Certificate Decoder
Paste a PEM certificate and inspect every field. Private-by-default — nothing leaves your browser.
Paste a PEM-encoded X.509 certificate below. Parsing happens entirely in your browser — nothing is uploaded.
How to Extract a Certificate from a Live Server
openssl s_client -connect example.com:443 -servername example.com </dev/null \ | openssl x509 -outform PEM
Copy the output (from -----BEGIN CERTIFICATE----- through -----END CERTIFICATE-----)
and paste it into the decoder above.
What the Fields Mean
- Subject
- Identifies the entity the certificate was issued to. The Common Name (CN) is legacy — modern browsers only trust the Subject Alternative Names.
- Issuer
- The Certificate Authority that signed the certificate. For leaf certs, this is an intermediate CA, not the root.
- Validity
- The certificate is only valid between Not Before and Not After. SC-081v3 is capping this at 47 days by 2029.
- Fingerprint
- A SHA-256 hash of the entire DER-encoded certificate. Used for certificate pinning and identification.
Related Tools
- CSR Decoder — Decode a Certificate Signing Request.
- SSL Chain Checker — Verify a live server’s certificate chain.