SSL Certificate Decoder

Parse and display SSL/TLS certificate details from PEM data.

SSL Certificate Decoder — What It Does

Paste any PEM-encoded X.509 certificate and instantly decode all its fields: subject name, issuer and CA chain, validity period (issue and expiry dates), public key algorithm and key size, Subject Alternative Names (SANs), key usage extensions, and serial number. All decoding happens in your browser — your certificate data never leaves your machine.

How to Get Your PEM Certificate

  • From a server file — Copy contents of /etc/ssl/certs/your-cert.pem or /etc/letsencrypt/live/domain/cert.pem
  • From a live serverecho | openssl s_client -connect example.com:443 | openssl x509 -out cert.pem
  • From a PKCS#12 (.p12/.pfx) fileopenssl pkcs12 -in cert.p12 -clcerts -nokeys | openssl x509
  • From a browser — Click the padlock icon → View Certificate → export or copy the PEM

Key Certificate Fields Explained

  • CN (Common Name) — The primary domain the certificate was issued for
  • SAN (Subject Alternative Names) — All domains covered, including wildcards
  • Not Before / Not After — The validity window. Check this to diagnose expiry issues.
  • Key Size — RSA 2048-bit is minimum; 4096-bit or ECDSA P-256 is recommended
  • Signature Algorithm — SHA-256 or higher is required; SHA-1 is deprecated

Common SSL Certificate Issues

  • Expired certificate — Check "Not After" date. Set up auto-renewal with Let's Encrypt certbot or ACME.
  • Name mismatch — The domain in the URL must appear in CN or SAN fields. Check for missing www or subdomain.
  • Incomplete chain — Intermediate CA certificates must be bundled with your certificate. Missing intermediates cause trust errors on some clients.
  • Wrong key usage — Certificates issued for code signing cannot be used for TLS and vice versa.

Frequently Asked Questions

What information is stored in an SSL/TLS certificate?
An X.509 certificate contains: the subject (domain/organization it was issued to), the issuer (Certificate Authority that signed it), the validity period (not before / not after dates), the public key and algorithm, Subject Alternative Names (SANs — additional domains covered), key usage extensions, and a digital signature from the CA.
What is PEM format and how do I get my certificate in PEM format?
PEM (Privacy Enhanced Mail) is the most common certificate encoding format — a base64-encoded DER certificate wrapped between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" markers. You can export PEM from most servers: nginx and Apache store certs as PEM files. Use openssl x509 -in cert.der -inform DER -out cert.pem to convert from DER format.
How do I check if an SSL certificate is expired?
Paste the PEM certificate into this decoder to see the "Not After" (expiry) date highlighted. From the command line: openssl x509 -enddate -noout -in cert.pem. Or for a live server: echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -enddate.
What are Subject Alternative Names (SANs)?
SANs are additional domain names covered by a single certificate. Modern certificates must list all covered domains in the SAN extension — browsers no longer use the Common Name (CN) for hostname verification. A wildcard SAN like *.example.com covers all immediate subdomains (api.example.com, www.example.com) but not nested ones (a.b.example.com).
What is the difference between DV, OV, and EV certificates?
DV (Domain Validated) — the CA verifies only that you control the domain. Fast and cheap, used for most websites. OV (Organization Validated) — the CA also verifies your organization identity. EV (Extended Validation) — the highest level, requiring thorough legal and operational vetting. All three use the same encryption strength — they differ only in identity verification.