Secure Sockets Layer (SSL) Certificate Decoder

Field	Value	Copy
{{ k }}	{{ v }}
No details available.

#	DNS / IP	Copy
{{ i + 1 }}	{{ n }}
No SAN entries

Digital certificates are signed identity records that present a name and a public key from an issuer you can recognize. They help you verify who a service claims to be and show when that proof starts and ends. A compact digital certificate decoder lets you read the essentials clearly so you can decide what to trust.

Enter a certificate and get the subject, issuer, validity window, fingerprints, and alternate names in one view. You can paste text or drop a file and then review the fields and copy results for notes or tickets. For quick checks, compare the name you expect with the names listed under alternate names and confirm the dates make sense.

Use it when you have a certificate and need to inspect what it says, not when you are requesting a new one. For example, you might confirm that a server name appears in the alternate names and that the end date is after a planned go live.

Be cautious because readable details do not prove a trusted chain or revocation status, and local time displays may differ from server time. Your input stays on your device.

Technical Details:

X.509 certificates express an entity’s identity and key material over a fixed validity period. The key fields include the subject’s Common Name (CN), optional Organization (O) and Organizational Unit (OU), the issuing Certification Authority (CA), a serial number, and not‑before and not‑after timestamps. Subject Alternative Name (SAN) lists additional DNS names, IP addresses, Uniform Resource Identifiers (URI), or email addresses.

The decoder computes fingerprints and a pin that summarize the certificate for comparison. A SHA‑256 fingerprint and a SHA‑1 fingerprint are derived from the certificate’s Distinguished Encoding Rules (DER) bytes, while the Subject Public Key Info (SPKI) pin uses a SHA‑256 digest of the SPKI structure and is rendered in base64. Signature algorithms are reported by their Object Identifier (OID) with a friendly name where known.

Key Usage and Extended Key Usage flags describe what the key may do, such as digitalSignature, keyEncipherment, serverAuth, or clientAuth. Basic Constraints indicate whether the certificate can act as a CA and, when present, include a path length limit. The tool highlights these to help you spot misuse, such as a leaf certificate marked as a CA.

Results are informational and intended for inspection. They do not establish a trust chain, verify signatures against a trust store, or check revocation; use a dedicated verifier for those tasks when needed.

\begin{matrix} FP256 & = & colonize (HEX (SHA256 (DER (cert)))) \\ SPKIpin & = & BASE64 (SHA256 (DER (SPKI))) \end{matrix}

Symbols and units used in formulas
Symbol	Meaning	Unit/Datatype	Source
DER(cert)	Certificate encoded as bytes	byte string	Derived
FP256	SHA‑256 fingerprint with colons	hex string	Derived
SPKI	Subject Public Key Info structure	byte string	Derived
SPKIpin	Pin of SPKI using SHA‑256	base64	Derived
SAN	Subject Alternative Name entries	array of strings	Parsed
OID	Identifier for signature algorithm	dotted string	Parsed

Worked example. Input contains a leaf certificate with subject CN example.com, issuer CN Example CA, and a not‑after date in the future. The SHA‑256 fingerprint is computed from DER bytes, converted to upper‑case hex, and grouped with colons. SAN shows DNS: example.com and DNS: www.example.com. Key Usage lists digitalSignature, keyEncipherment; Extended Key Usage includes serverAuth. Interpretation: the names include the expected host and the validity window is current.

Processing pipeline:

Accept text or a file and detect PEM, DER, or PKCS#7.
Parse one or more certificates into a chain model.
Select a likely leaf by preferring a non‑CA entry.
Extract subject, issuer, serial, version, and validity timestamps.
Collect SAN names, Key Usage, Extended Key Usage, and Basic Constraints.
Compute SHA‑256 and SHA‑1 fingerprints from DER.
Derive SPKI pin from the public key’s SPKI section.
Map known signature OIDs to friendly names.
Render a concise Info table and a JSON payload.

Validation & bounds extracted from code:

Input validation and limits
Field	Type	Min	Max	Step/Pattern	Error Text	Placeholder / Accepts
Certificate input (textarea)	string	—	—	PEM headers or base64 `[A-Za-z0-9+/=\s]+` with length > 100	“No certificate found in input.”	`-----BEGIN CERTIFICATE-----` …
Certificate file	ArrayBuffer / text	—	—	Auto‑read as text or binary by extension/magic	“Unsupported or corrupted binary file.”; “Could not find a certificate in the file.”	Accepts `.pem`, `.crt`, `.cer`, `.der`, `.p7b`, `.p7c`
Decode action	button	—	—	Enables when input exists	“Paste a certificate or choose a file.”	—

I/O formats & encoding:

Inputs and outputs
Input	Accepted Families	Output	Encoding/Precision	Rounding
Certificate	PEM (single or chain), DER (binary or base64), PKCS#7 (PEM or DER)	Info table, SAN list, JSON payload, CSV exports	Fingerprints as upper‑case hex with colons; SPKI pin as base64	None
JSON payload	meta.detected, meta.chainCount, meta.selectedIndex; certificate object; chain array	Download or copy	Two date fields in ISO; two in local display format	None

Time & calendars:

Validity timestamps are provided as ISO strings and as localized strings using the device locale. Comparisons should account for timezone differences when scheduling cutovers.

Networking & storage behavior:

Processing is browser‑based. Clipboard and file downloads use local APIs, and no data is transmitted or stored server‑side.

Performance & determinism:

Runtime scales linearly with certificate size. Given the same input, the decoder produces identical outputs.

Security considerations:

Certificate fields are treated as data; do not trust identity without path validation.
JSON highlighting renders strings; avoid pasting hostile inputs into untrusted pages.
Fingerprints and pins are for comparison; do not substitute for full trust evaluation.
Exports are plain text; protect copies containing sensitive identifiers.

Assumptions & limitations:

Does not verify chain of trust or validate signatures.
Does not check revocation via CRL or OCSP.
Leaf selection prefers non‑CA; order is otherwise unchanged.
Recognizes SAN types: DNS, IP, URI, email only.
Signature OID to name mapping covers common algorithms, not exhaustively.
Path length is shown only when explicitly present.
Local time display may differ from server enforcement windows.
Heads‑up Base64 detection relies on character class and length threshold.
Heads‑up JSON preview is rendered with HTML spans, not escaped markup.
Heads‑up No hostname matching logic or policy advice is performed.

Edge cases & error sources:

PEM blocks with unusual headers or spacing may fail detection.
DER files with unsupported containers are rejected as corrupted.
Multiple PEM blocks are parsed; unexpected interleaving can confuse ordering.
Unknown curves or key types are summarized as “—”.
Non‑ASCII subject fields render as provided by the certificate.
Whitespace inside base64 is tolerated but binary noise is not.
Very long extension values may truncate in narrow views.
Malformed SAN entries are ignored when types do not match.
Unsigned integers with leading zeros appear exactly as encoded in hex.
Locale settings affect how local date strings appear.

Scientific & standards backing:

Behavior aligns with the X.509 public key infrastructure profile and common certificate handling practices. Fingerprints use cryptographic hash functions over DER encodings. Basic Constraints and Key Usage semantics follow the public key certificate profile. Subject Alternative Name conveys additional identities beyond the Common Name.

Privacy & compliance:

No data is transmitted or stored server‑side. Use outputs responsibly when they contain organizational identifiers or email addresses.

How‑to · Step‑by‑Step Guide

Certificate inspection produces human‑readable identity details and comparison fingerprints.

Paste the certificate text or drop a file PEM/DER/PKCS#7.
Select Decode to parse the content.
Review subject, issuer, validity dates, and fingerprints.
Open the SAN tab and confirm expected names are listed.
Copy or download Info as CSV or the full JSON as needed.
If fields look wrong, clear input and try a different source file.

Example. Expecting api.example.com? Confirm it appears in SAN and the end date is after the cutover window.

You now have the essentials to compare, archive, or escalate.

FAQ

Is my data stored?

No. Processing happens on your device and nothing is transmitted or retained server‑side.

Which formats are supported?

PEM single or chain, DER as binary or base64, and PKCS#7 in either form. Common extensions include .pem, .crt, .cer, .der, .p7b, and .p7c.

Does it verify trust or revocation?

No. It reads fields and computes fingerprints and pins. Use a trust validator to check chains, policies, and revocation.

What does “CA: true” mean?

Basic Constraints mark the certificate as allowed to issue other certificates. Leaf certificates normally show “CA: false”.

Why do some fields show a dash?

A dash indicates the field was absent in the certificate. Not all subjects include O or OU and some extensions may be missing.

Can I decode a CSR?

No. This focuses on certificates. Convert or inspect CSRs with a dedicated tool, then compare the issued certificate separately.

Is offline use supported?

Yes. Once loaded, decoding is local. Clipboard and file downloads also operate locally.

How accurate are fingerprints and pins?

They are deterministic for a given input. Comparing two independently derived values is a reliable equality test.

Why is the issuer the same as the subject?

That indicates a self‑signed certificate, typical for roots or some lab setups. Trust depends on where it is installed.

Troubleshooting

Nothing happens after Decode — ensure you pasted a full PEM block.
“No certificate found” — remove extra text around the PEM headers.
Binary file rejected — try the matching extension or the PEM form.
Missing SAN — check if the certificate includes the SAN extension.
Fingerprints differ — confirm you compared the same certificate file.
Dates look off — compare the ISO timestamps, not the localized strings.
Odd characters — subjects may include non‑ASCII; this is normal.

Blocker: “Unsupported or corrupted binary file.” Try the PEM export from your source, or re‑download without transformations.

Advanced Tips

Tip Compare SPKI pins across reissues to detect silent key changes.
Tip Keep a CSV snapshot of Info before and after rotations for audits.
Tip Look for serverAuth in Extended Key Usage when inspecting server endpoints.
Tip Use the serial number to correlate with issuance logs and change tickets.
Tip Confirm CA is false for leaf certificates deployed on endpoints.
Tip When SAN lists wildcards, verify the exact hostname still matches policy.

Glossary

Certificate: Signed identity and public key with validity dates.
Subject: Entity the certificate describes, often a host name.
Issuer: Authority that signed and issued the certificate.
Common Name (CN): Primary name historically used for matching.
Subject Alternative Name (SAN): List of additional identities such as DNS or IP.
Fingerprint: Hash of DER bytes used for equality checks.
SPKI pin: Base64 digest of the public key info block.
Key Usage: Flags that constrain allowed key operations.
Basic Constraints: Indicates CA capability and optional path length.
Object Identifier (OID): Dotted code naming an algorithm or extension.
PEM: Text form with header and base64 body.
DER: Binary encoding of ASN.1 structures.
PKCS#7: Container that can hold a certificate chain.