X.509 Certificate Decoder
Decode an X.509 certificate to its subject, issuer, validity, SANs, key details, and fingerprints — parsed in your browser.
The X.509 Certificate Decoder parses your certificate and computes its SHA-1 and SHA-256 fingerprints entirely in your browser. The PEM or DER you paste never leaves your device and nothing is uploaded to ArrayKit.
Open the Certificate & Key Matcher
About X.509 Certificate Decoder
The X.509 Certificate Decoder turns a raw certificate into the details you need to trust or debug it. Paste a PEM block, or DER supplied as base64 or hex, and it lays out the subject and issuer distinguished names, the notBefore/notAfter window with a clear valid, expiring, or expired status, the serial number, every Subject Alternative Name (DNS, IP, email, URI), the key usage and extended key usage purposes, the signature algorithm, and the public-key type and size (RSA bits or EC curve). It also computes the SHA-1 and SHA-256 fingerprints so you can compare against a known thumbprint. Built for developers and SREs verifying TLS certificates, mismatched chains, and expiring endpoints. Parsing and fingerprinting happen on your device — the certificate you paste is never uploaded.
Features
- Accepts PEM certificates or DER supplied as base64 or hex
- Shows subject and issuer distinguished names and the serial number
- Displays the validity window with valid, expiring-soon, or expired status
- Lists every Subject Alternative Name — DNS hosts, IPs, emails, and URIs
- Decodes key usage and extended key usage into readable purposes
- Reports the signature algorithm and public-key type and size (RSA bits or EC curve)
- Computes SHA-1 and SHA-256 fingerprints locally with the Web Crypto API
- Flags self-signed and CA certificates at a glance
How to use the X.509 Certificate Decoder
- Copy a certificate in PEM form (-----BEGIN CERTIFICATE-----) or DER as base64/hex
- Paste it into the input box
- Read the decoded subject, issuer, validity, SANs, and key details
- Copy the SHA-256 fingerprint to compare against an expected thumbprint
Example
Input
-----BEGIN CERTIFICATE-----
MIIDWjCCAkKgAwIBAgIGChssPU5f...
-----END CERTIFICATE-----
Output
Subject: CN=example.com, O=Example Inc, C=US
Validity: 2024-01-01 → 2025-01-01 (valid)
SANs: DNS example.com, DNS www.example.com, IP 127.0.0.1
Key: RSA 2048-bit · SHA256withRSA
SHA-256: FA:5D:BB:50:F9:9E:1A:55:...
A PEM certificate decoded into subject, validity, SANs, key, and fingerprint.
Common errors & troubleshooting
- The decoder says the input is not valid Base64. — Paste the whole PEM block including the BEGIN/END lines, or if you have DER bytes, paste them as clean base64 or hex without extra characters.
- It reports 'This does not look like an X.509 certificate.' — You may have pasted a private key, a CSR, or a PKCS#12 file. This tool decodes certificates only — extract the certificate first, or use the matching tool for keys and CSRs.
- The validity shows expired but the site still loads in a browser. — You may be decoding an intermediate or root certificate rather than the leaf, or a cached copy. Decode the exact certificate the server presents for the hostname.
- The SHA-256 fingerprint does not match the one your monitoring shows. — Fingerprints are over the whole certificate (DER). A different fingerprint means a different certificate — confirm you copied the correct one, not a renewed or re-issued cert.
Frequently asked questions
- What certificate formats can this decoder read?
- It reads PEM certificates (the Base64 block between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----) and raw DER bytes supplied as base64 or hex. It decodes leaf, intermediate, and root certificates the same way.
- How do I tell if a certificate has expired?
- The decoder shows the notBefore and notAfter dates and a status badge: valid inside the window, expiring soon when fewer than 30 days remain, and expired once notAfter has passed. It also shows how many days are left.
- Where do the Subject Alternative Names come from?
- They come from the certificate's SAN extension. The tool lists each entry with its type — DNS hostname, IP address, email, or URI — which is what browsers actually match against the address you visit.
- What are the SHA-1 and SHA-256 fingerprints for?
- A fingerprint is a hash of the entire certificate, so it uniquely identifies that exact cert. You compare it against a value published by a CA or your monitoring to confirm you are looking at the right certificate.
- Can it decode an Elliptic Curve certificate, not just RSA?
- Yes. For RSA it reports the modulus size in bits; for EC it reports the named curve such as P-256 or P-384. The signature algorithm (for example SHA256withRSA or SHA256withECDSA) is shown separately.
- Is the certificate I paste sent to a server?
- No. The X.509 Certificate Decoder parses the certificate and computes its fingerprints entirely in your browser using the Web Crypto API. The PEM or DER you paste stays on your device.
Related tools
- Certificate & Private Key Matcher — Confirm an X.509 certificate or CSR and a private key belong together (the classic modulus mismatch check) — locally in your browser.
- PFX to PEM Extractor — Open a password-protected .pfx/.p12 file and split it into certificate, chain, and private-key PEM blocks.
- SSH Key Generator — Generate Ed25519, RSA or ECDSA SSH keypairs in your browser and download the public and private keys.
- JWT Decoder — Decode JWT header & payload and inspect exp / iat (no verification).
- Hash Generator — SHA-256 / SHA-1 / SHA-384 / SHA-512 via the Web Crypto API.
- CSP Header Generator — Build a Content-Security-Policy header from directive toggles, with report-only and copy output.
All ArrayKit tools