X.509 Certificate Decoder

Decode an X.509 certificate to its subject, issuer, validity, SANs, key details, and fingerprints — parsed in your browser.

The X.509 Certificate Decoder parses your certificate and computes its SHA-1 and SHA-256 fingerprints entirely in your browser. The PEM or DER you paste never leaves your device and nothing is uploaded to ArrayKit.

Open the Certificate & Key Matcher

About X.509 Certificate Decoder

The X.509 Certificate Decoder turns a raw certificate into the details you need to trust or debug it. Paste a PEM block, or DER supplied as base64 or hex, and it lays out the subject and issuer distinguished names, the notBefore/notAfter window with a clear valid, expiring, or expired status, the serial number, every Subject Alternative Name (DNS, IP, email, URI), the key usage and extended key usage purposes, the signature algorithm, and the public-key type and size (RSA bits or EC curve). It also computes the SHA-1 and SHA-256 fingerprints so you can compare against a known thumbprint. Built for developers and SREs verifying TLS certificates, mismatched chains, and expiring endpoints. Parsing and fingerprinting happen on your device — the certificate you paste is never uploaded.

Features

How to use the X.509 Certificate Decoder

  1. Copy a certificate in PEM form (-----BEGIN CERTIFICATE-----) or DER as base64/hex
  2. Paste it into the input box
  3. Read the decoded subject, issuer, validity, SANs, and key details
  4. Copy the SHA-256 fingerprint to compare against an expected thumbprint

Example

Input

-----BEGIN CERTIFICATE-----
MIIDWjCCAkKgAwIBAgIGChssPU5f...
-----END CERTIFICATE-----

Output

Subject:   CN=example.com, O=Example Inc, C=US
Validity:  2024-01-01 → 2025-01-01 (valid)
SANs:      DNS example.com, DNS www.example.com, IP 127.0.0.1
Key:       RSA 2048-bit · SHA256withRSA
SHA-256:   FA:5D:BB:50:F9:9E:1A:55:...

A PEM certificate decoded into subject, validity, SANs, key, and fingerprint.

Common errors & troubleshooting

Frequently asked questions

What certificate formats can this decoder read?
It reads PEM certificates (the Base64 block between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----) and raw DER bytes supplied as base64 or hex. It decodes leaf, intermediate, and root certificates the same way.
How do I tell if a certificate has expired?
The decoder shows the notBefore and notAfter dates and a status badge: valid inside the window, expiring soon when fewer than 30 days remain, and expired once notAfter has passed. It also shows how many days are left.
Where do the Subject Alternative Names come from?
They come from the certificate's SAN extension. The tool lists each entry with its type — DNS hostname, IP address, email, or URI — which is what browsers actually match against the address you visit.
What are the SHA-1 and SHA-256 fingerprints for?
A fingerprint is a hash of the entire certificate, so it uniquely identifies that exact cert. You compare it against a value published by a CA or your monitoring to confirm you are looking at the right certificate.
Can it decode an Elliptic Curve certificate, not just RSA?
Yes. For RSA it reports the modulus size in bits; for EC it reports the named curve such as P-256 or P-384. The signature algorithm (for example SHA256withRSA or SHA256withECDSA) is shown separately.
Is the certificate I paste sent to a server?
No. The X.509 Certificate Decoder parses the certificate and computes its fingerprints entirely in your browser using the Web Crypto API. The PEM or DER you paste stays on your device.

Related tools

All ArrayKit tools