Skip to content
Kordu Tools Kordu Tools

SSL Certificate Decoder

Runs in browser

Paste any PEM-encoded SSL/TLS certificate and instantly decode all X.509 fields: subject, issuer, validity, SANs, key usage, fingerprints, and more.

Last updated 08 Apr 2026

Decode any PEM certificate and view all X.509 fields: subject and issuer DN, validity dates, Subject Alternative Names (SANs), key usage, public key info, SHA-256 and SHA-1 fingerprints, and more. Supports full certificate chains. All decoding happens in your browser — nothing is sent to any server.

Paste a PEM certificate above to decode it
Loading rating…

How to use

  1. 1

    Get your PEM certificate

    Copy the PEM certificate text from your .crt or .pem file, your server configuration, a browser's certificate viewer, or your CA's dashboard. It starts with -----BEGIN CERTIFICATE----- and ends with -----END CERTIFICATE-----.

  2. 2

    Paste the certificate

    Paste the full PEM text including the BEGIN and END header lines into the text area. You can paste an entire certificate chain (multiple certificates) and each one will be decoded separately.

  3. 3

    Read the decoded fields

    The tool instantly shows all decoded fields: subject, issuer, validity dates, SANs, key usage, public key info, and SHA-256/SHA-1 fingerprints.

  4. 4

    Copy individual fields

    Click the Copy button next to any section to copy the decoded values to your clipboard for use in scripts, configuration, or documentation.

Frequently asked questions

What is a PEM certificate?
PEM (Privacy Enhanced Mail) is the most common format for SSL/TLS certificates. It's a Base64-encoded DER certificate wrapped in -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- headers. PEM files typically have .pem, .crt, or .cer extensions.
What is the difference between this tool and an SSL checker?
An SSL checker looks up the live certificate installed on a domain by connecting to it over the network. This decoder works offline — you paste the raw PEM text and it decodes the certificate without making any network requests. Use this tool when you have the certificate file itself and want to inspect its contents.
What are Subject Alternative Names (SANs)?
SANs are the list of hostnames, IP addresses, and other identities that a certificate is valid for. Modern certificates use SANs instead of (or in addition to) the Common Name (CN). For example, a certificate for example.com might list example.com, www.example.com, and api.example.com as SANs.
How do I get the SHA-256 fingerprint of a certificate?
Paste the PEM certificate into this tool and the SHA-256 fingerprint is shown in the Fingerprints section. Fingerprints are a hash of the entire certificate — they uniquely identify the certificate and are used to verify you have the correct one.
Can I decode a certificate chain?
Yes. Paste multiple PEM certificates concatenated together (as they appear in a certificate bundle or intermediate chain file) and each one is decoded separately with labels showing its position in the chain.
What is Key Usage?
Key Usage is an X.509 extension that defines what the certificate's public key can be used for. Common values include Digital Signature (signing data), Key Encipherment (encrypting symmetric keys), Certificate Sign (signing other certificates), and CRL Sign (signing certificate revocation lists).
Is any data sent to a server?
No. Certificate decoding happens entirely in your browser using the Web Crypto API and the @peculiar/x509 library. Your certificate data is never transmitted anywhere.
What is the difference between a leaf, intermediate, and root certificate?
A leaf (end-entity) certificate is the one issued directly to your domain. Intermediate certificates are issued by the root CA and used to sign leaf certificates. Root certificates are self-signed and trusted by browsers directly. When you paste a chain, this tool labels each certificate's position.

SSL Certificate Decoder parses any PEM-encoded X.509 certificate and

displays every field in a readable, structured format. Paste the certificate

text (including the BEGIN/END headers) and the tool instantly shows the

complete subject and issuer distinguished names (DN), validity period, all

Subject Alternative Names (SANs), key usage flags, extended key usage, public

key algorithm and size, and SHA-256/SHA-1 fingerprints.

This tool is different from an SSL checker that looks up a live domain —

here you paste the raw certificate PEM text and decode it entirely offline.

No network request is made. This is useful when you have a certificate file

(.crt, .pem, .cer) and need to inspect its contents before deploying it,

verify it matches a private key, check expiry, or confirm the SANs include

the right hostnames.

Certificate chains are supported: paste multiple PEM certificates concatenated

together and each one is decoded separately, with position labels showing

which is the leaf, intermediate, and root certificate.

All processing uses the browser's native Web Crypto API plus the open-source

@peculiar/x509 library. Nothing leaves your browser.

Related tools

SSL Certificate Checker

Check SSL/TLS certificate validity, issuer, expiry, and SANs for any domain via Certificate Transparency logs.

JWT Decoder

Decode and inspect JWT tokens — view header, payload, claims, and expiry status without sending data to any server.

Base64 Encoder/Decoder

Encode text or files to Base64 or decode Base64 strings back to plain text — real-time, fully in your browser.

Password Generator

Generate cryptographically secure passwords with custom length (8–128), character sets, entropy display, and exclude-ambiguous option. Runs in your browser.