OneWebDesk
All tools
한국어|English

SSL Certificate Decoder

Paste a PEM certificate to decode subject, issuer, validity and SANs.

The SSL Certificate Decoder takes an X.509 certificate in PEM format and expands its subject, issuer, validity window, subject alternative names (SAN), serial number, SHA-256 fingerprint and key details into a human-readable view. It parses the certificate text itself without connecting to any server, so you can inspect certificates that aren't deployed yet, intermediate certificates, or backups on the spot.

It's handy for confirming that a renewed certificate didn't drop any domains from its SAN list, that the validity period is what you expected, and that the issuing CA is correct. To inspect the live certificate chain on a running server, use the SSL Certificate Checker as well.

What PEM format is

PEM is a text format that Base64-encodes a certificate and wraps it in header and footer lines. Paste the entire block that starts and ends like this.

  • Start: -----BEGIN CERTIFICATE-----
  • End: -----END CERTIFICATE-----
  • If you paste a chain file with several certificates, the top (leaf) certificate is decoded.

What you can read

  • Subject / Issuer: the identity (DN) the certificate was issued to and the CA that issued it.
  • Validity: the Not Before (issue) and Not After (expiry) timestamps.
  • SAN: every domain and IP this certificate protects.
  • Serial / Fingerprint: the certificate's unique identifier and SHA-256 fingerprint.
  • Key: the public-key algorithm (RSA/EC, etc.) and bit length.

How it's processed and privacy

The PEM you submit is sent to the server only to be parsed, then discarded immediately — it is never stored or cached. A public certificate is public information anyone can fetch by connecting to the server, so it isn't sensitive. However, never paste the matching private key (PRIVATE KEY) — this tool decodes certificates only. To validate the CSR you submit before a certificate is issued, use the CSR Decoder.

Frequently asked questions

Do I need to paste the private key?
No. Only the CERTIFICATE block is needed. The private key is secret and must never be pasted. This tool does not process private keys.
What happens with a chain file (multiple certificates)?
The first certificate at the top (usually the server's leaf certificate) is decoded. To inspect an intermediate or root certificate, paste that block on its own.
Does it connect to a server to check?
No. It parses only the pasted certificate text with no network access. To inspect a live certificate and chain on a running server, use the SSL Certificate Checker.
Is the certificate I paste stored?
No. It is discarded right after parsing and is not cached (no-store). A public certificate is not sensitive information anyway.
The validity dates show in UTC — is that correct?
Yes. X.509 certificate times are recorded in UTC (GMT) by standard. Convert the displayed values to your local time zone when reading them.

Related tools

SSL Error Message Decoder
Explain browser SSL errors like ERR_CERT_COMMON_NAME_INVALID.
CAA Record Check
Check which CAs are allowed to issue certificates via CAA records.
SSL Certificate Checker
Check a domain's SSL certificate expiry, issuer, chain and TLS version live.
TLS Version Check
Check which TLS versions (1.0–1.3) a server supports and grade safety.
CSR Decoder
Paste a CSR to decode its subject and key information.
CIDR Calculator
Calculate IP range, subnet mask and host count from CIDR notation.